Defending  Bluetooth  Vendors  say  endeser  education 

is  the  key  to  securing  Bluetooth  wireless  connections.  PAGE  8. 


Storage  scoop  Bi^name  vendors  Dell,  EMC,  IBM  and 

Sun  are  readying  Serial  ATA  storage  arrays.  PAGE  8. 
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Web  application  security 


Hackers  are  using  tricky  maneuvers  such  as  SQL  injection, 
cross-site  scripting,  cookie  poisoning  and  authentication  hijacking 
to  seize  control  of  your  Web  servers.  In  thisTechnology  Insider, 
we  outline  a  game  plan  for  protecting  your  Web  apps.  Page  47. 

TOOlS.  Network  administrator  Eric 
Beasley  of  Baker  Hill  uses  a  variety 
of  Web  application  firewalls, 
intrusion-protection  systems  and 
vulnerability  scanners  to  blitz  against 
attacks.  Page  47. 


JOHN  BRAGG 


Web  application  security  101  .  Glean  eight  practical 

tips  for  tightening  your  Web  applications  defenses.  Page  50. 


Clear  Choice  Test: 

Two  of  the  leading  Web 
application  firewall 
appliances  prove  to  do  a 
solid  job  of  blocking 
application-level  exploits. 
Page  54. 
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CLEAR  CHOICE 


Online:  * 


The  Teros  Secure  Application  Gateway  100 


Find  a  Buyer's  Guide  of  Web  application  firewalls  at 
www.nwfusion.com,  DocFinder:  2044. 


Microsoft  maps 
future  of  Windows 


Five-year  blueprint  for  servers  raises 
licensing,  support  concerns  for  users. 


Redmond  enlists 
security  vendors 
to  automate 
policy  compliance. 

■  BY  ELLEN  MESSMER  AND 
JOHN  FONTANA 

Microsoft  is  working  with  anti¬ 
virus  vendors  to  ensure  that  in 
the  future  its  software  will  be  able 
to  verify  a  user’s  desktop  is 
secure  and  updated  anti-virus 
signatures  are  in  place  before 
granting  access  to  corporate 
resources. 

With  its  forthcoming  security- 

See  Security,  page  74 


■  BY  JOHN  FONTANA 

Microsoft  last  week  released  a 
five-year  road  map  for  its  Win¬ 
dows  Server  that  contains  licens¬ 
ing  and  support  requirements 
experts  say  are  another  tactic  to 
pressure  corporations  to  accept 
the  software  giant’s  controversial 
licensing  program. 

The  road  map,  highlighted  by 
the  first  ship  date  announced  for 
the  Longhorn  Server  operating 
system,  lays  out  a  four-year  cycle 


A  Wider  Net 


between  major  operating  system 
upgrades. 

Next  year,  Microsoft  plans  a 
smaller  upgrade  of  Windows 
Server  2003,  which  will  add  sup¬ 
port  for  features  such  as  Trust- 
bridge,  directory-enabled  middle¬ 
ware  that  supports  the  federating 
of  identities  across  corporate 
boundaries. 

The  update  will  require  users 
without  maintenance  contracts 
to  purchase  a  new  server  license. 

See  Server,  page  74 


VoIP  talk  tops  NetWorld+Interop 


■  BY  NETWORK  WORLD  STAFF 

LAS  VEGAS  —  A  lean  but  vib¬ 
rant  NetWorld+Interop  last  week 
drew  IT  executives  focused  on 
exploring  specific  new  technolo¬ 


gies,  with  VoIP  high  on  their  lists. 

While  the  show’s  attendance  fig¬ 
ure  was  projected  to  be  between 
17,000  and  20,000  —  compared 
with  20,000  last  year  —  the  mood 
was  upbeat,  and  attendees 


seemed  primed  to  track  down 
products  they  need  for  specific 
projects  ranging  from  Wi-Fi  instal¬ 
lations  to  beefing  up  security  to 

See  Interop,  page  10 


More  news 
from 
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■  Securely  connecting  to  the 
corporate  WAN.  Page  10. 

■  MCI  to  focus  on  customers, 
network  reliability.  Page  12. 

■  Making  metro  Ethernet 
more  reliable,  cost-effective. 
Page  12. 


Are  you  133t?  *  ; 

One-time  hacker  slang  now  4 M 

ridiculed  by  all  except  those  L337 

who  use  it. 

■  BY  J3FF  C4R00S0 

They’re  a  familiar  sight  on  chat  boards, in  spam  messages 
and  in  viruses.  Even  a  co-worker  might  use  one  —  jok¬ 
ingly  of  course. They’re  words  that  look  unpronounce- 
able:“133t,”“w00t”  and  “h4x0r,”  among  many  others. 

They’re  all  part  of“I33tspeak”  (pronounced  “leet  speak”), 
Internet  slang  that  at  one  time  identified  the  writer  as  a  profi¬ 
cient  hacker  and  now  identifies  anyone  who  uses  it  seriously 
as  a  hopeless  wannabe. 

L33tspeak  started  in  the  1980s  in  the  hacker  community. 

Sea  Leet  page  76 


Can  you  see  it? 


Middleware  is  Everywhere 
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MIDDLEWARE  IS  IBM  SOFTWARE.  A  powerful,  collaborative 
environment  like  IBM  Workplace  that  provides  access  to 
people,  processes  and  information  on  one  open,  dynamic 
platform.  It’s  how  you  access  everything  from  content  to 
applications  to  global  partners  for  faster,  more  informed 
decision  making.  It’s  how  productivity  increases.  And  it's  big 
news  for  your  business. That’s  ON  DEMAND  BUSINESS. 


1.  Sees  stock  devaluation  immediately. 

2.  Updates  clients’ apps  automatically. 

3.  Accesses  updated  trading  app  instantly. 

4.  Reviews  pundit  predictions  easily. 

5.  Buys  stock  in  a  snap. 


See  middleware  at  work.  See  how  it  helps  businesses  succeed.  See  it  at  ibm.com/middleware/workplace 
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IBM  Workplace 


CDV  W  ART? 
Mil  VV  AillJ 


INSTANTMESSAGING 


BANDWIDTH  MALICIOUS 


MOBlLCCODEINTEt 


*TO*AGItte*U.!A«, 


.  ; 


Peer-to-peer  is  clearly  a  problem. 

Take  a  dose  look  at  the  serious  security,  infrastructure  and  legal  liability  threats  P2P  file  sharing  poses  to  your  organization. 
Reduce  your  risk  with  Websense  Enterprise®  Block  access  to  P2P  protocols,  sites  and  applications  with  the  only  software  that  offers 
end-to-end  policy  control  to  effectively  eliminate  P2P  security  breaches 
and  other  dangers.  Stay  focused  on  the  P2P  solution  with  a 
free  w  hite  paper  and  assess  your  risks  at  www. websense.com/p2p. 
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8  Big  names  rally  around  serial  ATA  Storage. 

8  Bluetooth  is  spreading  —  so  are  security  concerns. 

10  Foundry,  Adtran  air  access  gear. 

12  MCI  slashing  workforce  again,  but  insists  customer  service  won't  suffer. 
12  Users  want  metro  Ethernet,  if  it’s  reliable  and  cheap. 

1 2  Altlris  answers  help  desk's  call. 

14  It's  all  about  the  data  for  retailers. 

14  BellSouth  unveils  IP  Centrex. 

16  Data  center  spec  set  for  debut. 

1 7  Systinet  revamps,  renames  Web  services  tools. 
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Web  application  security 

CLEAR  CHOICE 


The  battle  between  hackers  and  security  professionals  has  moved  from  the  network  layer  to  the  Web  applications 
themselves.  In  this  Technology  Insider,  we  highlight  the  best  defensive  tools  and  maneuvers.  Page  47. 

Blitz  against  attacks:  Armed  with  Web  application  firewalls,  intrusion-protection  systems  and 
vulnerability  scanners,  companies  are  defending  against  hacker  exploits.  Page  47. 

Tips:  Eight  ways  to  shore  up  Web  application  security.  Page  50. 

Web  apps:  Our  test  of  two  of  the  leading  Web  application  firewall  appliances  finds 
that  they  do  a  solid  job  of  blocking  application-level  exploits,  Page  54. 

Online  .  Get  a  Buyer's  Guide  of  Web  application  firewalls  at  DocFinder:  2044. 
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Infrastructure 

■  19  Big  Blue's  mainframe  gathers 
no  rust. 

■  19  IBM  adds  Brocade  switches 
to  BladeCenter. 

■  21  Novell  eases  pricing  for  Linux 
support. 

■  21  Radware  revamps 
acceleration  software. 

■  22  Dave  Kearns:  Mostly  an 
issue  of  trust. 

Enterprise 

Applications 

■  25  IBM  software  targets  desk¬ 
top,  devices. 

■  25  Oculan  offers  low-cost  server 
management. 

■  32  Scott  Bradner:  Forced 
admissions  of  poor  security. 

Service  Providers 

■  33  Nextel  adds  international 
service  to  Direct  Connect  and 
access  to  Salesforce.com. 

■  34  Intemap  integrates  route 
optimization  acquisitions. 

■  34  Johna  Till  Johnson: 

Winning  strategies  for  next- 
generation  network  design. 

■  36  Special  Focus: 

ISPs  pull  out  a  variety  of  different 
numbers  to  build  case  that  their  nets 
are  biggest,  best. 


Technology 

Update 

■  39  E-mail  appliances  shore  up 
security. 

■  39  Steve  Blass:  Ask  Dr 

Internet. 

■  42  Mark  Gibbs:  RSS 

technology,  take  2. 

■  42  Keith  Shaw:  Cool  tools, 
gizmos  and  other  neat  stuff. 

Opinions 

■  44  On  technology:  Outlook 
good  from  N+l. 

■  45  Jeff  Kaplan:  Redefining 
maintenance. 

■  45  Thomas  Nolle:  MCl's 
marching  orders. 

■  77  BackSpin:  Worry,  worry, 
worry,  worry. 

■  77  Compendium:  The  cost 
of  blogging. 

■  69  Career  classifieds. 

Management 

Strategies 

■  61  Data  center  staffing: 
Automation  and  virtualization 
advances  could  force  IT  pres  out  of 
work  if  they  don’t  evolve  their  skills. 


Polycom  V500  offers  video- 
conferencing  via  TV.  Page  42. 
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Exclusive 

Network  MM/ Mini  Showdown: 

Security:  Build  it  or  buy  it? 

Bruce  Schneier  of  Counterpane  Internet  Security  and  Nir  Zuk  of 
NetScreen  Technologies  debate  whether  it's  best  to  buy  components  and 
piece  together  best-of-breed  custom  defenses,  or  simply  procure  security 
as  a  service  and  leave  the  driving  to  the  experts?  DocFinder:  2052 

Network  World  Mini  Showdown: 

The  New  Data  Center 

Network  World's  John  Gallant  moderates  a  presidential-style  debate 
between  two  innovative  vendors  of  equipment  for  the  new  data  center: 

Redline  and  NetScaler.  Hear  them  duke  it  out  over  which  vendor  has  the 
best  offering  for  your  data  center.  DocFinder:  2053 

Network  World  Radio 

Lab  Alliance  member  Rodney  Thayer  discusses  the  state  of  802.1X,  a 
standard  that's  gaining  traction  in  wireless  nets.  DocFinder:  1962 

N+l  2004  news 

If  you  missed  the  show,  get  a  complete  roundup  of  all  the 
announcements,  news  and  keynotes.  DocFinder:  2054 

InteropLabs  Net  SIP  white  papers 

Get  all  you  need  to  know  on  Session  Initiation  Protocol  via  five  exclusive 
white  papers  (scroll  down  the  page).  DocFinder:  2055 


What  is  DocFinder? 

We’ve  made  it  easy  to  access  articles  and  resources 
online.  Simply  enter  the  four-digit  DocFinder  number  in 
the  search  box  on  the  home  page,  and  you’ll  jump 
directly  to  the  requested  information. 


■  CONTACT  US  NetworkWorld,  118Turnpike  Road,  Southborough, 
MA  01772;  Phone:  (508)  460-3333;  Fax:  (508)  490-6438; 

E-mail:  nwnews@nww.com;  STAFF:  See  the  masthead  on  page  12 
for  more  contact  information.  REPRINTS:  (717)  399-1900 

SUBSCRIPTIONS/CHANGE  OF  ADDRESS:  Phone:  (508)  490-6444; 
Fax:  (508)  490-6400;  E-mail:  nwcirc@nww.com; 

URL:  www.subscribenw.com 


Columnists 

Wireless  Wizards 

Protecting  data  in  an  open  WLAN  environment 
The  Wizards  answer  the  question:  “What  is  the  best  way  to 
protect  data  in  an  open  environment  (i.e.,  education),  where  IT 
has  little  control  over  clients?"  DocFinder  2056 

Telework  Beat 

Connections  2004  conference  notebook 
Net.Worker  Managing  Editor  Tom  Kistner  says  digital  home 
visions  extend  beyond  entertainment  DocFinder  2057 

Small  Business  Tech 

Remote  access  recipes,  Part  1 

Columnist  James  Gaskin  explains  ways  to  make  your  data 

available  when  your  workplace  isn't.  DocFinder  2058 

Home  Base 

Routed! 

Help  columnist  Steve  Ulfelder  choose  and  install  a  router 

DocFinder  2059 

Seminars  and  events 

Are  you  totally  secure  in  your 
enterprise  security  management9 

Are  you  managing  your  network  as  a  security  intelligence 
asset?  Find  out  how  and  get  the  answers  you  need  at 
Enterprise  Security:  Fail-Safe  Architecture,  a  new  Network  World 
Technology  Tour  Event.- Click,  qualify  and  attend  free. 

DocFinder  1856 


Breaking  News 

Go  online  for  breaking  news  every  day  DocFinder  6342 
Free  e-mail  newsletters 

Sign  up  for  any  of  more  than  40  newsletters  on  key  network  toon 

DocFinder:  6343 
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German  police  say  they  have  Sasser  writer 

K  German  police  last  week  arrested  an  18-year-old  man  on 
charges  he  created  the  Sasser  worm  that  disrupted  networks 
around  the  world  two  weeks  ago  by  penetrating  unpatched 
Microsoft-based  computers.The  arrest  of  Sven  Jaschan,  who  lives 
with  his  parents  near  the  German  town  of  Rotenburg,  occurred 
after  Microsoft  received  tips  about  Sasser’s  creator  and  passed 
them  on  to  law  enforcement.  German  law  enforcement  says 
Jaschan  has  confessed  to  creating  the  Sasser  worm  and  one 
called  Netsky.  However,  the  arrest  did  not  stop  yet  another  variant 
of  the  Sasser  worm  —  Sasser.F  —  from  appearing  on  the  Internet 
last  week. 

Mercury  Interactive  to  acquire  Appilog 

■  Mercury  Interactive  last  week  announced  plans  to  buy  Appilog,  a  three-and-a-half- 
year-old  maker  of  software  used  to  discover  and  map  relationships  among  applications 
and  their  underlying  infrastructure.  The  $49  million  cash  deal  is  intended  to  bolster 
Mercury’s  application  management  line.  Mercury,  a  $500  million-plus  software  vendor 
that  ranked  77th  on  this  year’s  Network  World  200  list,  also  sells  application  tuning  and 
IT  governance  products.  Appilog,  based  in  New  York,  is  privately  held  and  employs  about 
40  people.  Mercury  initially  plans  to  sell  Appilog’s  stand-alone  software,  but  the  bigger 
play  is  to  meld  it  into  Mercury’s  offerings,  starting  with  its  Business  Availability  Center 
software. 

Gric  expecting  to  change  name 

■  Gric  Communications,  best  known  as  an  aggregator  of  remote-access  services,  is 
putting  a  new  face  on  the  company  —  or  at  least  a  new  name. The  company  is  expect¬ 
ed  to  change  its  name  to  GoRemote  on  May  19  at  its  shareholders  meeting,  according 
to  a  company  executive,  although  the  change  is  not  official.  This  is  the  second  name 
change  for  the  10-year-old  company.  The  service  provider  was  originally  known  as 
AimQuest  and  then  changed  its  name  to  Gric  in  1998.  Gric  stands  for  Global  Reach 
Internet  Connection,  which  is  what  the  company  calls  its  network.  Gric  offers  dial-up, 
DSL  and  Wi-Fi  remote-access  services  to  business  users  around  the  globe. 


■ 

“God!  Putting  a  picture  of  myself  | 
as  my  screen  saver  was  the 
greatest  thing  I've  ever  done!” 


Layer 


Jeff  Kohut  of 
Evansville,  Ind., 
has  been  crowned 
King  of  All  Captions 
this  week  by  pro¬ 
viding  the  above 

and  making  us  spit  Diet  Coke  all  over  our  keyboard.  Help  us  ruin 
our  keyboard  every  week  by  entering  our  Weekly  Caption  Contest. 
Head  to  Layer  8  for  details,  www.nwfusion.com,  DocFinder:  2066. 


Good  Bad  Ugly 
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<§>  Crime  pays ...  for  bounty  recipients. 

Microsoft  credited  its  monetary 
reward  program,  in  part,  for 
encouraging  informants  to  step 
forward  and  help  identify  the 
alleged  perpetrator  of  the 
Sasser  worm.  Microsoft  says 
it  will  pony  up  $250,000  if  the 
18-year-old  German  who  was 
arrested  is  convicted.  > 


Goodbye  Wi-Fi.  You  d 

think  selling  Wi-Fi  products 
these  days  would  be  something 
akin  to  printing  money. 
Apparently  not  for  Microsoft, 
which  last  week  said  it  is 
discontinuing  its  Wi-Fi  routers, 
adapter  cards  and  other 
offerings,  after  getting 
into  the  market  in  2002. 


$2511000  BEWUD 

SEE  SHERIFF  WILD  BILL  BATES  FOB  DETAILS  I 
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The  poop  on  SAS.  Software  company  SAS  attempted  to  lure  one  of  our 
editors  to  its  customer  conference  in  the  Great  White  North  last  week  by  sending 
. . .  Moose  Droppings.  The  convoluted  connection  between  the  company  and  the 
chocolate  treats  with  the  nasty  name?  “SAS,  like  the  mighty  moose,  is  the  embodiment 
of  stability  and  strength  in  the  [business  intelligence]  industry." 


All  WLAN  circuits  are  busy 

■  The  Australian  Computer  Emergency  Response  Team  has  confirmed  a  “trivial  but 
effective”  wireless  LAN  denial-of-service  attack.  According  to  the  advisory  issued  last 
week,  a  semi-skilled  attacker  can  use  a  handheld  device  with  any  802.11b  or  802.1  lg 
card  to  disrupt  WLAN  traffic  for  other  devices  within  range.  The  attack  entails  writing 
code  that  creates,  in  effect, a  WLAN  “busy”signal.The  other  devices  continually  postpone 
their  own  transmission  because  they  all  think  the  attacking  device  is  transmitting  on  the 
wireless  channel.  Once  this  jamming  transmission  stops,  the  network  recovers  at  once 
and  works  normally  The  vulnerability  was  first  reported  by  ComputeiWorld  Today,  based 
on  work  by  researchers  at  Queensland  University  of  Technology’s  Information  Security 
Research  Centre. 

Smaller  carriers  looking  to  delay  portability 

■  Cellular  telephone  carriers  should  be  ready  for  a  second  deadline  for  allowing  num¬ 
ber  portability,  but  many  rural  wireline  telephone  companies  are  trying  to  get  out  of  the 
national  portability  rules,  officials  with  the  Cellular  Telecommunications  and  Internet 
Association  said  last  week.  Most  cellular  and  wireline  carriers  outside  of  the  100  largest 
U.S.  markets  face  a  May  24  deadline  from  the  FCC  to  let  customers  switch  carriers  and 
retain  their  telephone  numbers.  Cellular  carriers  in  the  100  largest  U.S.  markets,  repre¬ 
senting  about  70%  of  U.S.  cellular  customers,  had  to  allow  number  portability  after  Nov. 
24.  However,  the  deadline  this  month  lets  state  public  utility  commissions  grant  exten¬ 
sions  to  some  carriers.  Hundreds  of  rural  local  exchange  carriers  have  filed  requests  for 
extensions,  CT1A  officials  said.  The  extensions  would  range  from  a  few  months  to  an 
indefinite  period,  and  some  already  have  been  granted. 

Cisco  adding  jobs ...  not  so  Enterasys 

■  Cisco  breathed  some  life  into  the  IT  job  market  this  week,  announcing  the  addition 
of  1,000  jobs. The  increase  in  staff  comes  after  Cisco  added  200  jobs  in  the  previous 
quarter,  its  first  large-scale  hiring  in  three  years.The  company  said  it  is  adding  jobs  in 
its  emerging  technology  businesses,  which  include  IP  telephony,  security  and  storage. 
But  all  is  not  rosy  in  the  network  arena:  Enterasys  Networks  cut  200  jobs  earlier  this 
month  after  the  company  reported  a  first-quarter  net  loss  of  $35.7  million. 
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Serial  storage  garners  big  name  support 

EMC  and  Dell  partner,  while  Sun  and  IBM  deliver  high-density  arrays. 


Storage  sampler 

Some  of  the  biggest  names  in  storage  are  rolling  out 
Serial  ATA  packages. 


Product 

Maximum 

capacity 

Purpose 

Dell/EMC  AX100 

3T  bytes 

Bundled  SAN,  includes 
Fibre  Channel  switch  and 
host  bus  adapters 

EMC  Clariion  AX100 

3T  bytes 

Low-end  Clariion  storage 

IBM  FAStT  100 

3.5T  bytes 

Low-end  archival  storage 

Sun 

16T  bytes 

Nearline  archival  storage 

B  BY  DENI  CONNOR 

There’s  been  much  talk  about 
Serial  Advanced  Technology  At¬ 
tachment  storage  arrays  over  the 
past  year,  but  it’s  only  now  that 
many  of  the  biggest  names  in  the 
industry  are  ready  for  action. 

Sources  say  EMC  and  Dell  are 
partnering  to  deliver  relatively 
low-cost  storage  arrays  based  on 
Serial  ATA  that  are  designed  for 
small  and  midsize  customers, and 
IBM  is  doing  the  same. 

Sun,  meanwhile,  is  prepping  a 
higher-end  Serial  ATA  offering, 
sources  say  Besides  IBM,  which 
formally  announced  its  product 
last  week,  the  vendors  declined  to 
comment  specifically  on  prod¬ 
ucts.  The  devices  are  expected  to 
be  available  as  soon  as  next 
month. 

Industry  watchers  see  Serial 
ATA,  built  to  be  speedier  and 
more  flexible  than  an  earlier 
parallel  version  of  the  technolo¬ 
gy,  as  a  fit  for  storing  data  that 
doesn’t  change  much  and  does¬ 
n’t  need  to  be  accessed  often. 
But  packaged  with  switches  and 
host  bus  adapters,  it  is  seen  as 
anchoring  storage-area  net¬ 
works  (SAN)  at  small  offices  and 
businesses. 

“[Serial  ATA]  is  ideal  for  infor¬ 
mation  life-cycle  management 
computing  environments  requir¬ 
ing  large, near-line, affordable  stor¬ 
age  capacity’  says  Mark  Canepa, 
executive  vice  president  of  Sun’s 
Network  Storage  Products  Group. 

Sources  say  Sun  will  unveil  a 
product  called  the  StorEdge  351 1 
FC  Array  with  Serial  ATA,  a  system 
that  will  expand  from  1.25T  to 
16T  bytes  and  connect  to  as 
many  as  12  host  computers.lt  will 
work  across  Windows,  Linux,  Unix 
and  NetWare,  come  in  a  3.5-inch- 
high  enclosure  and  include  four 
Fibre  Channel  expansion  ports, 
virtually  eliminating  the  need  for 
a  Fibre  Channel  switch. 

The  device  is  said  to  have  hot- 
swappable  and  redundant  RAID 
controllers,  power  supplies  and 
fans,  and  be  manageable  over  IP 
or  serially  with  Sun's  StorEdge 
Configuration  Service. 

Dell  and  EMC  are  working  toget¬ 
her  on  a  smaller  box,  which  can 
fit  12  250G-byte  Serial  ATA  drives 
for  a  maximum  capacity  of  3T 
bytes.  Dell  will  market  the  box  as 
the  Dell/EMC  AX  100.  EMC  uses 
the  code-name  Piranha  for  the 
system,  which  it  will  call  the  Clari- 


ion  AX100  and  market  through 
Dell,  Fujitsu  and  other  partners. 

Dell  will  bundle  the  AX100  with 
an  eight-port  Brocade  switch  and 
Qlogic  host  bus  adapters  as  an 
entry-level  storage-area  network 
starting  at  $  1 1 ,000  for  a  0.5T-byte 
configuration. 


Customers  are  impressed  with 
the  price. 

Daren  Gillespie,  network  ad¬ 
ministrator  for  the  Nebraska 
State  Legislature  in  Lincoln, says 
he  was  told  by  his  Dell  sales 
contact  to  wait  to  purchase  a 
Network  Appliance  file  server 


until  Dell  made  its  low-end  SAN 
announcement. 

“We’d  be  putting  everything  on 
the  SAN  —  SQL  Server,  MySQL 
and  possibly  Oracle  databases,” 
Gillespie  says. 

Connecting  up  to  eight  host 
computers,  the  AX100  is  intend¬ 
ed  for  small  and  midsize  busi¬ 
nesses  moving  away  from 
direct-attached  storage. The  box 
is  targeted  at  businesses  that 
use  NetWare,  Windows  or  Linux 
file  servers  and  have  five  or 
more  servers. 

“The  pieces  in  the  technology 
puzzle  are  finally  coming  togeth¬ 
er  for  the  low  end  of  the  market, 
especially  small  and  midsize 
businesses,  to  convert  to  network 
storage,” says  Bart  Kaplan, systems 
and  storage  analyst  for  Precursor, 
a  research  firm  for  institutional 
investors  in  Washington,  D.C. 

The  AX100  will  be  configured  in 


both  high-availability  and  less- 
business-critical  models,  sources 
say  The  high-availability  model 
will  have  dual  storage  proces¬ 
sors;  the  less  powerful  array  will 
have  one. 

The  AX  100  will  support  only 
RAID  5  and  will  ship  with  Navi- 
sphere  Express,  FbwerPath  Base 
and  Snap  View,  which  give  it  man¬ 
agement,  failover  and  point-in- 
time  copy  capability 

For  its  part,  IBM  announced  a 
Serial  ATA  array  called  the 
FAStTlOO,  which  is  designed  for 
the  near-line  storage  needs  of 
small  and  midsize  businesses  and 
scales  to  as  much  as  3.5T  bytes. 
The  FAStTlOO  is  expected  to  ship 
in  July  priced  starting  at  about 
$15,000.  Unlike  Dell’s  and  EMC’s 
box,  the  FastTlOO  does  not  sup¬ 
port  iSCSI,  nor  is  it  packaged  with 
a  Fibre  Channel  switch  or  host 
bus  adapters.  ■ 


Bluetooth’s  sprawl  heightens  security  concerns 


■  BY  JOHN  COX 

Michael  Ciarochi  used  to  see  Bluetooth  as 
just  a  convenient  way  to  hook  up  a  keyboard 
to  a  laptop  or  PDA  at  HomeBanc  Mortgage, 
where  he’s  senior  WAN/security  engineer. 

That  was  until  he  got  a  shipment  of  new 
laptops  as  part  of  a  planned  technology 
upgrade.  Much  to  his  surprise,  each  system 
came  with  a  built-in  Bluetooth  radio,  creating 
what  he  says  amounted  to  a  hidden  window 
into  any  sensitive  or  confidential  data  that 
might  be  stored  on  the  laptops’  hard  drives. 

“I  disabled  each  Bluetooth  radio,”  he  says. 
But  Ciarochi  is  still  not  completely  at  ease. 
“That  doesn’t  mean  the  users  can’t  re-enable 
it,”  he  says. 

Ciarochi’s  experience  is  becoming  more 
typical  in  corporate  America.  As  GSM  cellular 
networks  expand  in  the  U.S.,more  and  more 
cell  phones  are  appearing  with  Bluetooth 
radios  to  link  them  with  headsets  and  hand¬ 
helds.  More  laptops  are  shipping  with 
Bluetooth  built  in  so  that  end  users  can 
quickly  send  a  file  to  a  Bluetooth  printer  or 
PDA.  And  even  as  this  is  happening,  many 
end  users  have  little  real  understanding  of 
Bluetooth,  such  as  that  its  maximum  range 
can  vary  between  30  and  300  feet. 

Trivial  but  troubling 

A  number  of  basically  trivial  but  still  trou¬ 
bling  Bluetooth  exploits  prompted  the 
Bluetooth  Special  Interest  Group,  a  vendor 
group,  last  week  to  hold  a  teleconference  on 
security  The  speakers  stressed  that  the  wire¬ 
less  specification  has  a  well-thought-out 


security  architecture.They  said  that  the  most- 
reported  incidents,  known  by  names  such  as 
Bluejacking  and  Bluesnarfing,  are  mainly 
annoyances  and  that  users  can  take  simple 
steps  to  protect  their  devices  and  data. 

In  Bluejacking,  a  user  swaps  a  short  mes¬ 
sage  for  the  contents  of  a  business  card  and 
then  sends  it  to  any  nearby  open  Bluetooth 
device.  Bluesnarfing  is  more  serious: You  can 
steal  a  file  of  phone  contacts  or  calendar 
data  from  another  device.  But  snarfing 
exploits  a  flaw  not  in  the  Bluetooth  specifi¬ 
cation  but  in  some  earlier  vendor  implemen¬ 
tations  of  it,  according  to  Nick  Hunn,  a  man¬ 
aging  director  with  PDK  Systems  Europe  and 
a  participant  in  the  teleconference. 

There  is  a  chance  of  pulling  information 
from  a  handset.  But  it  requires  a  laptop, 
scripts  and  familiarity  with  the  Bluetooth 
specification.  “The  likelihood  of  anyone 
doing  this  is  probably  remote,”  he  says. 

Designed  for  security 

Bluetooth’s  creators  designed  it  with  secu¬ 
rity  in  mind, says  Michael  McCamon,the  spe¬ 
cial  interest  group’s  marketing  director.  It  sup¬ 
ports  authentication,  128-bit  encryption  and 
additional  higher-level  security  protocols 
that  can  run  over  the  connection.  Devices 
can  be  discoverable  or  invisible:  In  discovery 
mode,  sometimes  called  promiscuous  mode, 
the  device  is  visible  to  any  other  Bluetooth 
device  within  range. 

Promiscuous  can  be  seductive,  users  say. 
Karl  Feilder.CEO  of  Red-M,  which  offers  wire 
less  LAN  and  Bluetooth-monitoring  systems, 
has  a  BMW  equipped  with  Bluetooth. “When 


I  move  in  range  of  my  car,  as  long  as  my  cell 
phone  is  on  and  Bluetooth  is  in  promiscuous 
mode,  my  car  will  answer  my  phone,”  he  says. 
“But  when  I  get  out  of  my  car,  and  don’t 
switch  off  my  phone,  then  anyone  can  con¬ 
nect  to  me.” 

Conversely,  McCamon  says, when  promiscu¬ 
ous  is  shut  off,  another  device  can’t  connect 
to  his. 

Similarly  pairing  can  be  active  or  inactive  on 
a  device.  When  active,  pairing  lets  two  devices 
—  such  as  a  Bluetooth  PC  and  printer  —  per¬ 
manently  remember  each  other.  If  pairing  is 
shut  off, that  association, which  McCamom  say 
takes  about  30  seconds,  can’t  take  place. 

And  these  characteristics  are  the  basis  for 
the  special  interest  group’s  recommenda¬ 
tions.  Keep  discovery  switched  off  and  do 
pairings  only  in  private  locations.  If  you  want 
to  be  discovered,  use  a  Bluetooth  identifying 
name  that  doesn’t  advertise  the  kind  of 
device  you  have.  Don’t  act  on  Bluetooth  mes¬ 
sages  if  you  don’t  know  the  source. 

More  ominous 

But  some  with  growing  experience  in 
Bluetooth  point  to  more  ominous  potential 
problems. 

Bluesniff  (www.nwfusion.com,  DocFinder: 
2061)  is  a  proof-of-concept  Bluetooth  war¬ 
driving  tool,  designed  to  scan  and  identify 
devices.“Like  Netstumbler  for  802.1 1  wireless 
networks,  Bluesniff  helps  hackers  identify  all 
Bluetooth  networks,”  says  Joseph  Dell,  CTO 
forVigilar.an  Atlanta  information  security  firm. 
“Since  most  are  deployed  with  security 
See  Bluetooth,  page  76 
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THE  RIGHT  TECHNOLOGY.  RIGHT  AWAY.  ”  ►  CDW.com/SECURITY  •  800.399.4CDW 

In  Canada  call  800.387.2173  •  CDW.ca 


With  more  leading  brands,  fast  shipping  and  knowledgeable  account  managers,  at  CDW  you'll  find 
people  who  are  dedicated  to  getting  you  the  right  technology  for  your  needs-when  you  need  it. 


WatchGuard  Firebox  X  Series 

•  A  model-upgradeable  and  feature-expandable 
integrated  security  appliance 

•  Provides  intelligent  layered  security  and 
license  key  upgradeability 

•  An  intuitive  user  experience  ensures  that 
your  network  is  protected  and  your  security 
monitoring  trouble-free 

3-Port  and  High  Availability  Upgrade  Bundle: 
Purchase  a  Watchguard  Firebox  XI 000  and  receive 
a  free  key  to  open  the  remaining  3  Ethernet  ports 
on  the  appliance  (a  S599  value). 


Starting  at 

*2349 

CDW  631435 


•  Provides  complete  business  continuity  for  even 
the  most  complex  networks 

•  Powered  by  SonicWALL's  next-generation 
SonicOS  2.0  operating  system,  the  PRO 
4060  delivers  enterprise-class  firewall 
throughput  and  VPN  concentration 

•  Integrates  seamlessly  with  the  SonicWALL 
suite  of  optional  security  services 


SonicWALL  PRO  4060  Internet 
Security  Appliance 


Purchase  a  SonicWALL  Pro  4060  Internet  Security 
Appliance  and  receive  your  choice 
of  a  free  SonicWALL  TZW  Secure  Wireless 
VPN/Firewall  25-user  edition  (a  $759  value) 
-OR- 

a  free  25-user,  1-year  Complete  Anti-Virus  license 
(an  S847  value)1.  Receive  a  $500  Rebate2 
when  purchased  by  6/30/04. 


UUC 

WatchGuard^Jr 


*4995 


SONICWALL 


CDW  534910 


Network  security 
doesn't  get  older  and  wiser. 

It  just  gets  older. 


Rebate  Info:  Purchase  a  SonicWALL  Pro  4060  between  February  13  and  June  30,  2004.  and  recetve  a  free  SOHO  TZW/25  or  a  25-user,  one-year  Complete  Anti-Virus  license  from  SonicWALL  Customers  must  register  the  product  on  MySonicWALL.com.  'Save  S500  via  CDW  mail-in  rebate;  offer  ends  6/30/04  Customer  understands  that  CDW  is  not  the 
manufacturer  of  the  products  purchased  by  customer  hereunder  and  the  only  warranties  offered  are  those  of  the  manufacturer,  not  CDW.  All  pricing  is  subject  to  change.  CDW  reserves  the  right  to  make  adjustments  to  pricing,  products  and  service  offerings  for  reasons  inciuding,  but  not  limited  to,  changing  market  conditions,  product  discontinuation,  product 
unavailability,  manufacturer  price  changes  and  errors  m  advertisements.  Ail  orders  are  subject  to  product  availability.  Therefore,  CDW  cannot  guarantee  that  it  will  be  able  to  fulfill  customer's  orders.  The  terms  and  conditions  of  sale  are  limited  to  thc^e  contained  herein  and  on  CDW's  Web  Site  at  CDW.com.  Notice  of  objection  to  and  rejection  of  any 

additional  or  different  terms  in  any  form  delivered  by  customer  is  hereby  given  ©  2004  CDW  Corporation  NW/NC6/04 
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expanding  storage.  The  number 
of  vendors  exhibiting  jumped 
from  258  last  year  to  350  this  year, 
show  officials  say;  and  the  show 
occupied  150,000  square  feet,  up 
from  125,000  in  2003. 

No  technology  drew  more 
attention  than  VoIP  and  conver¬ 
gence.  Sessions  on  the  topic 
were  standing-room-only,  as 
attendees  sought  answers  to 
their  deployment  questions  and 


VoIP  top  10  list 

A  survey  by  Nemertes 
Research  of  45  IT  execu¬ 
tives  familiar  with  con¬ 
versions  to  VoIP  yielded 
these  tips,  in  order  of 
importance,  for  anyone 
undertaking  such 
projects. 

1.  Educate  users  before 
installing  the  VoIP  gear. 

2.  Mandate  training  for 
end  users. 

3.  Don't  automatically 
choose  Cisco  gear. 

4.  Don’t  underestimate  the 
time  and  expertise  needed. 

5.  Be  sensitive  to  tension 
between  voice  and 
data  staff. 

6.  Upgrade  the  entire 
network  as  needed 
beforehand. 

7.  Conduct  a  baseline 
network  assessment. 

8.  Evaluate  power  require¬ 
ments  for  handsets. 

9.  Don’t  overestimate 
cost  savings. 

10.  Keep  quality  standards 
as  high  as  for  traditional 
phones. 


demanded  more  from  vendors. 
Management,  price,  reliability' and 
interoperability  all  cropped  up  as 
issues  that  customers  face  when 
they  consider  implementing  VoIP 

Easy  VoIP  rollouts  just  aren’t 
reality'  today  show  goers  said. 

“It’s  not  as  easy  to  deploy  and 
implement  as  vendors  would 
have  you  believe,”  said  Andreas 
Antonopoulos,  an  analyst  with 
Nemertes  Research,  who  present¬ 
ed  advice  collected  from  IT  exec¬ 
utives  who  are  veterans  of  VoIP  de¬ 
ployments  (see  graphic,  above). 

Top  among  users’  gripes  are  the 
lack  of  management  tools  for 
controlling  voice  quality  as  it 
crosses  networks,  Antonopoulos 


said,  although  vendors  are  trying 
to  respond. 

For  instance,  Computer  Assoc¬ 
iates  used  an  unannounced  VoIP- 
management  product,  Smart  BPV 
(Business  Process  View)  software, 
to  monitor  the  N+I  show  network, 
producing  displays  of  virtual 
LAN,  wired,  wireless  and  voice 
network  statistics.  The  formal 
launch  of  the  product  is  set  for 
CA  World  in  Las  Vegas  next  week. 

Smart  BPV  watches  for  specific 
packets,  ports  and  protocols  to 
identify  voice  traffic  and  collect 
data  such  as  response  time,  echo 
and  jitter  for  integration  with  the 
company’s  Unicenter  Service 
Level  Management  software. 

CA  said  the  integration  will  let 
help  desk  staff  address  voice/data 
network  issues  by  identifying  the 
source  of  problems.This  is  just  the 
type  of  data  sought  by  Ron  Pike, 
telecommunications  manager  for 
EDAW  an  urban  planning  firm  in 
San  Francisco,  who  is  installing  a 
600-phone  VoIP  network  with 
ShoreTel  gear. 

“They  need  to  improve  net¬ 
work  status  reporting,”  he  said, 
particularly  reports  on  VoIP 
phone  traffic  broken  down  into 
voice  packet  load  and  signaling 
load.  “I  need  a  dashboard  for 
real-time  information.” 

The  problem  extends  to  VoIP 
vendor  Cisco,  which  has  network 
performance  management  ven¬ 
dor  NetQoS  working  on  ways  to 
measure  IP  voice  traffic  on  Cis¬ 
co’s  corporate  network.  NetQoS 
said  it  will  add  the  performance 
tools  to  its  commercial  offerings. 

Another  big  issue  with  cus¬ 
tomers  is  reliability,  despite  steps 
taken  by  vendors.  Will  Schoen- 
trup,  technology  manager  for 
Tommy  Bahama  clothing  compa¬ 
ny  in  Seattle,  said  his  company  is 
undecided  about  whether  to  buy 
traditional  or  IP  PBXs.  Reliability  is 
the  company’s  main  concern  — 
especially  from  upper  manage¬ 
ment.  “They  pick  up  the  phone 
and  they  want  a  dial  tone,”he  said. 

This  concern  is  shared  by  the 
vice  president  of  network  archi¬ 
tecture  fora  global  financial  com¬ 
pany  who  spoke  on  condition  of 
anonymity  “What  if  the  WAN  link 
went  down?  That  would  mean  no 
phone  service,”  he  said.  Never¬ 
theless,  he  added  that  Cisco’s 
failover  technology  makes  it  safe 
to  deploy  IP  voice  gear  to  the 
firm’s  branch  offices.  The  finan¬ 
cial  company  is  testing  Cisco’s 
Survivable  Remote  Site  Tele¬ 
phony  which  routes  calls  to  the 
public  phone  network  if  the  IP 
WAN  link  doesn’t  work.  If  it’s  suc¬ 
cessful,  IP  telephony  could  save 
the  company  $1  million  per  year 


fcIThe  Curse  of 
the  live  demo.H 


That  was  MCI 
President  and  CEO 
Michael  Capellas’  quip 
after  a  demo  failed 
during  his  keynote 
speech  at  N+I.  Go 
online  for  more  of 
the  lighter  side 
of  Interop: 
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starting  in  2005,  he  said. 

Financial  auditing  firm  Price- 
waterhouseCoopers  just  bought 
conventional  PBXs  rather  than 
IP  PBXs  even  though  it  recog¬ 
nizes  the  potential  to  save 
money, said  Peter  Brown,  head  of 
internal  firm  services  for  global 
IT  in  New  York.  By  the  time  the 
new  boxes  reach  the  end  of 
their  life,  IP  voice  may  be  ready, 
he  said.  In  the  meantime  the 
company  saves  $400,000  per 
year  trunking  VoIP  links. 

The  cost  of  VoIP  equipment  is 
also  a  hindrance  to  adopting  the 
technology  customers  said.  For 
example,  the  University  of  South¬ 
ern  California,  which  has  25,000 
phones,  is  avoiding  a  university¬ 
wide  VoIP  deployment  because 
of  cost,  said  James  Wiedel,  direc¬ 
tor  of  networking  for  the  school. 

“Phones  break  all  the  time.  [IP 
telephony]  won’t  work  for  us  if 
we  have  to  use  some  IP  phone 
model  that  costs  $500,”  Wiedel 
said.  USC  is  looking  to  buy  new 
TDM  PBXs  for  now,  using  IP  to 
trunk  traffic  between  the  PBXs. 

Vendors  also  need  to  develop 
low-cost,  analog-to-digital  con¬ 
verters  for  devices  such  as  video- 
conferencing  bridges,  so  they 
need  not  swap  out  their  old  ana¬ 
log  gear  when  they  adopt  VoIP 
Schoentrup  said. 

Makers  of  voice  gear  need  to 
embrace  standards  that  promote 
interoperability  between  ven¬ 
dors’  gear,  customers  say. 

“This  is  a  real  issue  with  corpo¬ 
rate  America  and  all  its  buyouts,” 
said  John  Haltom,  network  direc¬ 
tor  of  technology  management  for 
Erlanger  Health  Systems  in  Chatta¬ 
nooga,  Tenn. “If  our  board  decides 
to  buy  another  hospital,  how  will 
we  integrate  the  phone  systems?” 


This  includes  integration  with 
older  PBX  systems  so  that,  for 
example,  message  indicator  lights 
on  IP  phones  can  be  triggered  by 
legacy  PBXs,  said  Haltom,  who  is 
implementing  a  1,200-phone  IP 
voice  rollout. 

Equipment  makers  are  working 
on  the  problem.  At  N+I,  Extreme 
Networks  and  Avaya  demon¬ 
strated  that  Extreme’s  Epicenter 
network  management  and  con¬ 
figuration  tool  can  monitor  and 
do  some  configuration  of  Avaya 
IP  phone  gear.  Avaya  demon¬ 
strated  that  its  MultiVantage  man¬ 
agement  software  also  can  man¬ 
age  Extreme  switches. 

In  another  area,  customers  say 
vendors  need  to  better  train  value- 
added  resellers,  the  front-line 
troops  installing  and  trouble¬ 
shooting  many  VoIP  projects.  “Cis¬ 
co  has  the  technology  and  Shore¬ 
Tel  the  same  way  but  they  don’t 
have  a  lot  ofVARs  up  to  speed  in 
the  Seattle  area,” Schoentrup  said. 

Bob  Longhini,  a  veteran  of  a 
VoIP  implementation,  is  consider¬ 


ing  a  VoIP  pilot  that  could  lead  to 
a  1,400-phone  rollout  over  three 
years  if  it  is  approved,  he  said. 
Longhini,  computing  technical 
services  IT  supervisor  at  Jennie-0 
Turkey  Store,  a  $1  billion  turkey 
processing  subsidiary  of  Hormel 
in  Willmar, Minn., said  the  key  is  to 
keep  up  as  the  technology  grows 
and  to  jump  in  when  it  meets  the 
needs  of  individual  customers. 

“That’s  why  I’m  here  [at  N+I]  ,”he 
said, “to  help  get  me  up  to  speed.” 

For  their  part  vendors  put  a 
more  positive  spin  on  VoIP 
Keynote  speaker  Michael  Capel¬ 
las,  CEO  of  MCI, said  IP  voice  and 
video  services  are  imminent  and 
will  become  commonplace. 
“[Ultimately]  we  will  completely 
embed  telephony  into  the  desk¬ 
top  with  full  streaming  audio  and 
video  capabilities,”  he  said, 
describing  an  MCI/Microsoft  col¬ 
laboration  service  announced  at 
the  show.  ■ 

Get  more  information  online. 
DocFinder:  2063 
www.nwfiision.com 


Foundty,  Adtran 
air  access  gear 

■  BY  PHIL  HOCHMUTH 

LAS  VEGAS  —  Several  vendors  at  NetWorld+Interop  last  week  took 
aim  at  the  enterprise  WAN  access  market  with  gear  that  promises  per¬ 
formance  equal  to  or  better  than  market-leader  Cisco’s  —  but  at  lower 
prices. 

Foundry  Networks  launched  its  line  of  Accession  products  for  small 
and  midsize  remote  offices,  while  Adtran  announced  its  NetVanta 
5000-series  WAN  gear  for  larger  sites.  Also,  Kentrox  released  a  router  for 
corporations  interested  in  connecting  to  broadband  or  metropolitan 
Ethernet  services  (see  “Short  Takes,”  page  19). These  vendors  say  their 
routers  can  help  companies  securely  connect  offices  to  an  enterprise 
WAN  for  less  money 

Foundry’s  Accession  1200  and  3200  routers  have  integrated  VPN 
support  for  up  to  1,000  encrypted  tunnels  and  stateful  firewall  features 
that  could  be  used  to  link  a  small  or  large  site  to  a  WAN  link  or  ISP  con¬ 
nection.  Foundry  says  its  Accession  delivers  features  equal  to  those 
available  with  Cisco’s  1700,  2600  and  3700  series  routers,  but  costs 
about  30%  less. 

The  Accesslron  1200  supports  up  to  16  fractional  T-l  connections  and 
includes  an  integrated  DSU/CSU.  The  Accesslron  3200  supports  two 
channelized  or  dear-channel  T-3  connections.  The  routers  are  sched¬ 
uled  to  be  available  in  July  and  priced  starting  at  $2,600. 

Adtran’s  NetVanta  5305  router  supports  two  DS3  links,  and  includes 
stateful  inspection  firewall  and  IPSec  VPN  support  for  up  to  2,000  VPN 
tunnels. The  box  supports  VoIP  line  trunking,  as  well  as  VLAN  trunking 
for  connecting  VLANs  across  corporate  WAN. 

The  basic  NetVanta  5305  chassis  starts  at  $7,000,  and  costs  up  to 
$10,000  with  a  T-3  connection  and  VPN  support.  Adtran  says  its 
NetVanta  5305  offers  the  same  performance  as  similarly  configured 
routers  from  Cisco  at  about  half  the  cost. 

While  Cisco’s  1700,2600  and  3700  series  routers  have  long  dominat¬ 
ed  the  enterprise  access-router  market,  several  new  competitors  have 
jumped  into  the  market  over  the  last  year.  3Com  last  fall  introduced  its 
Router  5000  series  of  router/VPN/firewall  gear,  and  Enterasys  launched 
its  XSR  series  of  integrated  router/security  boxes  earlier  in  2003.  ■ 
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WEIGHING  THE  COST  OF  LINUX  VS.  WINDOWS? 

LET'S  REVIEW  THE  FACTS. 
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Source:  Microsoft  2003  (Audited  by  META  Group) 


Price  Performance  Comparison:  File  Serving 
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One  Linux  image  running  on  One  Windows  Server  2003  image 

two  z900  mainframe  CPUs  running  on  two  900  MHz  Intel  Xeon  CPUs 


$415 

10  times  more  expensive 

_ 

$40 

Linux  was  found  to  be  over  10  times  more  expensive  than  Windows  Server™  2003  in  a  recent  study. 
The  study,  audited  by  leading  independent  research  analyst  META  Group,  measured  costs  of 
Linux  running  on  IBM'sz900  mainframe  for  Windows-comparable  functions  of  file  serving  and 
Web  serving.  The  results  showed  that  IBM  z900  mainframe  running  Linux  is  much  less  capable 
and  vastly  more  expensive  than  Windows  Server  2003  as  a  platform  for  server  consolidation. 

To  get  the  full  study  and  other  third-party  findings,  visit  microsoft.com/getthefacts 


C  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft,  Windows,  the  Windows  logo,  Windows  Server,  and  Windows  Server  System  are  either  registered  trademarks  or  trademarks  of 
Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 
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Aitiris 

answers 

help  desk's 
call  for  help 

H  BY  DENISE  DUBIE 

Aitiris  last  week  introduced  an 
upgraded  version  of  its  help  desk 
software  that’s  designed  to  cut 
down  on  support  calls  by  auto¬ 
mating  fixes  and  letting  end 
users  help  themselves. 

Helpdesk  Solution  6.0s  Smart 
Tasks  component,  announced  at 
NetWorld+lnterop,  saves  best 
practices  and  fixes  to  known 
problems  that  can  be  launched 
by  frontline  support  staff.  When  a 
trouble  ticket  for  a  problem  with 
a  pre-defined  fix  is  created, 
Helpdesk  Solution  will  present  a 
hot  link  with  known  resolutions. 

Aitiris  management  products 
consist  of  centralized  server  soft¬ 
ware  and  agents  installed  on 
managed  clients,  such  as  desk¬ 
tops,  servers  and  mobile  devices. 
Network  managers  access  data 
and  administer  the  product  via  a 
Web-based  interface,  which  Ai¬ 
tiris  also  upgraded  so  it  can  be 
customized. 

Helpdesk  6.0,  and  specifically 
Smart  Tasks,  is  integrated  with 
Aitiris  asset  and  systems  manage 
ment  tools,  which  lets  automated 
actions  such  as  patch  deploy¬ 
ments  be  initiated  from  the  help 
desk  software. 

“We  have  written  higher-level 
tasks  into  the  software,  making 
the  help  desk  more  active,”  says 
Dwain  Kinghorn,CTO  at  Aitiris. 

For  example,  if  an  end  user 
calls  the  help  desk  and  his  prob¬ 
lem  is  caused  by  an  out-of-date 
software  version,  the  help  desk 
operator  can  click  on  a  link  to 
send  the  necessary  upgrade. 

Smart  Tasks  pulls  data  from  a 
new  knowledge  base  in  which 
senior  network  managers  can 
store  best  practices  for  reuse  by 
the  software.  The  asset  manage¬ 
ment  integration  lets  the  software 
keep  a  record  of  software  on 
machines,  changes  made  and 
end-user  issues,  and  generate 
reports  based  on  that  data. 

Also  new  is  a  portal  Aitiris  says 
will  eliminate  the  need  for  end 
users  to  call  the  help  desk  in  sup¬ 
port  situations.  This  feature  lets 
end  users  search  on  their  own  for 
fixes  to  common  problems. 

Helpdesk  Solution  6.0  is  part  of 
the  Aitiris  Asset  Management 
Suite,  which  costs  $2,250  per  con¬ 
current  user  ■ 


MCI  cuts 

■  BY  DENISE  PAPPALARDO 

As  its  revenue  continues  to  slip, 
MCI  is  set  to  lay  off  another  7,500 
employees  by  next  month,  a 
purge  that  would  bring  the  com¬ 
pany’s  total  job  cuts  to  34,500  — 
almost  half  the  workforce  —  in 
just  less  than  two  years. 

MCI  often  cites  customer  loyalty 
and  its  reputation  for  network  reli¬ 
ability  and  service  as  its  strengths. 
Despite  the  massive  layoffs  and  a 
recent  emergence  from  bank¬ 
ruptcy  company  officials  insist 
that  hasn’t  and  won’t  change. 

“We  raised  service  quality  in 
every  measure  we  have  . . .  and  1 
think  that’s  a  real  tribute  to  the 
employees,”  MCI  CEO  Michael 
Capellas  said  last  week  in  a 
speech  at  NetWorld+lnterop.  MCI 
still  has  customers  in  65%  of 
Fortune  500  companies,  he  said. 

But  if  the  employees  are  to 
thank  for  this  success,  their  depar¬ 
ture  might  affect  customer  quality 
In  2002  MCI  employed  about 
77,000  people,  which  was  in  line 
with  competitors  AT&T  and 
Sprint,  which  employed  71,000 
and  75,000  respectively 


7,500  more  jobs 


AT&T  expects  to  end  2004  with 
about  57,000  employees,  down 
14,000.  Sprint’s  employees  will  be 
down  to  64,200  this  year,  although 
a  spokesman  says  Sprint  likely 
will  add  jobs  by  year-end. 

“Up  until  now  there  hasn’t  been 
a  material  change  in  the  way  peo¬ 
ple  feel  about  MCI,”  says  David 
Rohde,  a  senior  analyst  at  Tech- 
Caliber  Consulting,  which  helps 
corporate  users. 

MCI  started  cutting  employees 
soon  after  it  filed  for  Chapter  1 1 
bankruptcy  protection  and  the 
company  hasn’t  stopped.  But 
Capellas  says  users  will  not  suffer 


in  this  process. 

“Customer  service  is  a  No.  1 
priority”  he  says.  “We  have  been 
very  careful  to  put  automated 
tools  in,  we  have  been  very  care¬ 
ful  on  what  we’ve  done  on  cus¬ 
tomer  service.” 

Despite  MCI’s  assertions,  cus¬ 
tomers  need  to  be  careful. “Users 
should,  in  particular,  be  keeping 
MCI  on  a  short  leash,”  Rohde  says. 
During  the  RFP  process,  users 
should  look  at  adding  wording  to 
their  contract  that  specifically 
says  “who  is  serving  your  network 
and  whether  or  not  you  can  be 
shuttled  to  a  program  that  has  an 
anonymous  800  number,”  he  says. 

Despite  all  the  layoffs, according 
to  a  J.D.  Powers  and  Associates 
report  of  more  than  4,000  busi¬ 
ness  users,  MCI  has  maintained 
the  same  or  slightly  higher  cus¬ 
tomer  satisfaction  levels  from 
2002  to  2003.The  firm  asked  users 
questions  ranging  from  network 
performance,  reliability  their  sales 
representatives,  service  costs, 
billing  procedures  and  customer 
service.  MCI’s  customer  satisfac¬ 
tion  rating  remains  on  par  with 
AT&T’s  and  Sprint’s.  ■ 


Users  want  metro  Ethernet 
if  it’s  reliable  and  cheap 

■  BY  PHIL  HOCHMUTH  He  added  that  several  healthcare  facilities  are  on  the 


Enterprise  network  professionals  say  metropolitan 
Ethernet  services  have  promise  as  an  alternative 
WAN  transport,  but  carriers  must  focus  on  making 
the  services  more  reliable  and  cost-effective. 

In  a  roundtable  discussion  last  week  at  NetWorld+ 
Interop,  several  enterprise  IT  professionals  met  with 
metropolitan  Ethernet  service  providers  and  inte¬ 
grators  to  discuss  the  needs  and  issues  of  metropol¬ 
itan  Ethernet  in  corporations. 

Moderating  the  discussion  was  John  Gallant,  Net¬ 
work  World  editorial  director,  and  Gary  Southwell, 
director  of  the  Metro  Ethernet  Forum,  an  industry 
organization.  Panelists  included  AT&T, Time  Warner 
Telecom,  Memphis  Networks,  Verizon  and  Looking 
Glass  Networks. 

“I  can’t  emphasize  latency  enough  as  an  issue, ’’said 
William  Stewart,  network  director  at  Logitech,  a  con¬ 
sumer  electronics  manufacturer.  While  Logitech 
does  not  use  metropolitan  Ethernet,  Stewart  said 
latency  in  ERP  applications  and  jitter  in  VoIP  appli¬ 
cations  are  more  of  a  concern  to  him  than  running 
out  of  bandwidth. 

Willis  Marti,  associate  director  of  information  ser¬ 
vices  and  networking  at  Texas  A&M  University 
agreed  that  not  all  applications  for  metropolitan 
Ethernet  necessarily  need  huge  bandwidth.“Latency 
and  jitter  can  be  a  real  big  deal,”  Marti  said.  Texas 
A&M  uses  metropolitan  Ethernet  services  from  SBC 
to  connect  campuses  in  a  few  metropolitan  areas. 


school’s  metropolitan  network,  where  many  jitter- 
and  latency-sensitive  applications  are  used,  such  as 
voice  and  video.“You  just  can’t  assume  that  all  [met¬ 
ropolitan  Ethernet]  customers  have  the  same 
needs,”  he  added. 

Verizon,  which  offers  metropolitan  Ethernet  ser¬ 
vices,  says  it  is  seeing  steady  growth  in  the  offering. 
On  the  latency  issue,  Mike  Tighe,  director  of 
advanced  data  products  and  services  for  Verizon, 
said  his  firm  is  addressing  it  by  upgrading  all  of  its 
Cisco-based  metropolitan  switches  with  quality-of- 
service  (QoS)  capabilities  in  the  fourth  quarter. 

Clearly  Tighe  said  after  hearing  users’  comments, 
“you  want  QoS  and  rate  limiting,  and  they  want 
resiliency  to  their  locations.” 

For  UBS  Financial  Services,  which  runs  its  own 
multi-Gigabit  metropolitan-area  network  in  New  York 
over  dark  fiber  with  dense  wave  division  multiplex¬ 
ing  technology  the  idea  of  outsourcing  the  manage¬ 
ment  of  its  MAN  is  attractive. 

“Maintaining  staff  with  the  skills  to  troubleshoot  an 
optical  network  is  a  challenge,” said  Mark  Katz,  man¬ 
ager  of  network  engineering  at  UBS. 

As  with  other  users,  Katz’s  concerns  about  metro¬ 
politan  Ethernet  involved  the  reliability  of  Ethernet 
as  a  service.  Security  was  also  a  concern,  he  said. 

“If  [carriers]  can  offer  a  solution  that  solves  those 
problems,”  it  would  help  UBS  cut  network  costs,  Katz 
said.“But  in  no  way  will  we  pay  more  for  it”  than  for 
traditional  telco  WAN  services.* 
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Blocks  Everything  but  Business. 


The  high-performance  PRO  Series- SonicWALL's  answer  to  your  network's 
most  intrusive  Internet  security  threats. 


Think  you're  protected  from  the  persistent  invasion  of  application  exploits,  worms,  and  malicious  traffic?  Think  again. 

The  PRO  4060  and  PRO  5060  from  SonicWALL®  provide  the  most  comprehensive  intrusion  prevention  solution  at  an  affordable  price, 
boasting  exceptional  performance  even  while  running  other  security,  mobility,  and  productivity  services.The  SonicWALL 


high-performance  PRO  Series  offers  unmatched  protection  from  application  worms,  blended  threats,  and  exploits,  including  those 


propagated  through  instant  messaging  and  peer-to-peer  applications.These  powerful  integrated  security  appliances  include  Deep 
Packet  Inspection  with  over  1 700  signatures  in  a  dynamically  updated  database.Tenacious  attacks  on  your  network  are  inevitable, 
but  with  IPS,  content  filtering,  gateway-enforced  anti-virus,  and  IPSec  VPN,  the  SonicWALL  PROs  relentlessly  combat  threats  and 
uncompromisingly  boost  your  business  productivity. 

The  SonicWALL  high-performance  PRO  Series.  Not  just  detection. .  .prevention.  Get  to  work. 

To  learn  more  about  SonicWALL's  high-performance  PRO  Series  products  with  IPS — 
the  mandatory  element  of  network  security — contact  one  of  the  resellers  below  or  visit 
www.sonicwall.com/home/reseller.asp  to  find  a  SonicWALL  reseller  near  you. 
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s  all  about  the  data  for  retailers 

Retail  Systems  conference  features  variety  of  start-ups  that  promise  help  with  inventory. 


U  BY  ANN  BEDNASZ 

A  handful  of  start-ups  targeting 
retail  industry  customers  have  a 
common  goal:  to  provide  tools 
that  quickly  cull  relevant  material 
from  among  the  massive 
amounts  of  data  that  business 
systems  collect. 

The  retail  industry  is  not  tradi¬ 
tionally  on  the  cutting  edge  of  IT. 
But  growing  competition,  shrink¬ 
ing  margins  and  an  increasingly 
global  supply  chain  are  putting 
pressure  on  retailers  to  be  more 
savvy  about  how  they  stock  their 
shelves. 

In  response,  retailers  are 
investing  in  software  to  aug¬ 
ment  their  existing  in-store  and 
back-office  systems  and  deliver 
real-time  or  near  real-time  busi¬ 
ness  information. 

Such  data-related  technology 
will  feature  prominently  at  this 
week’s  Retail  Systems  confer¬ 
ence  in  Chicago,  which  is  expect¬ 
ed  to  attract  about  4,000  atten¬ 
dees.  Among  the  roughly  300 
vendors  slated  to  appear  are  first¬ 
time  exhibitors  TradeStone 
Software,  QuantiSense,  Netezza 
and  Advanced  Interfaces. 

TradeStone’s  niche  is  providing 


software  to  simplify  the  process 
of  partnering  with  suppliers 
around  the  world.  Launched  in 
2003,  the  privately  funded  com¬ 
pany  has  built  applications  that 
are  aimed  at  helping  retailers 
manage  relationships  with  glob¬ 
al  partners,  from  sourcing  and 
order  management  through 
financing  and  international 
trade  policies. 

Margins  on  imported  goods 
are  about  12%  higher  than  on 
domestic  goods,  yet  retailers 
today  directly  import  only  about 
10%  of  their  inventory,  says  Sue 
Welch,  CEO  of  TradeStone.  One 
reason  is  that  operational  sys¬ 
tems  tend  to  be  oriented  toward 
domestic  business,  she  says. 
TradeStone’s  OneStep  software 
fits  in  with  existing  systems  — 
such  as  third-party  vendors’ 
order  entry,  warehouse  manage¬ 
ment  and  financial  processing 
applications.  It  also  adds  inter¬ 
national  trade  features  to  create 
a  composite  view  of  domestic 
and  international  purchasing 
functions. 

Newcomer  QuantiSense  makes 
business  intelligence  software  for 
retailers.  Called  QSIRetail,the  soft¬ 
ware  can  help  retailers  make  de¬ 


cisions  around  merchandising, 
inventory  management,  financial 
reporting  and  store  operations. 
For  example, QSIRetail  can  alert  a 
retailer  to  impending  out-of-stock 
conditions  and  suggest  solutions 
such  as  reordering  merchandise 
or  transferring  products  from  one 
location  to  another. 

Netezza  also  offers  an  alterna¬ 
tive  to  traditional  data  ware¬ 
houses.  Its  product  is  a  data 
warehouse  appliance,  called 
Netezza  Performance  Server, 
which  combines  a  database, 
server  and  storage  in  one  appli¬ 
ance.  Netezza  has  raised  $53 
million  in  venture  funding  since 
its  launch  in  2000. 

Spun  out  of  Pennsylvania  State 
University  the  same  year,  Ad¬ 
vanced  Interfaces  has  its  own 
niche:  video  mining.  Advanced 
Interfaces  makes  software  that 
analyzes  video  from  surveillance 
systems  to  glean  information 
about  customer  shopping  behav¬ 
ior  and  marketing  effectiveness, 
for  example. 

The  company  is  expected  to 
announce  its  AI  Intelligent  Store 
Environment  software  at  this 
week’s  retail  show.  The  new  suite 
will  include  modules  for  video 


Retailers  in  the  market  for  data-analysis 
applications 

Applications  that  glean  business  trends  and  forecasting 
information  are  priorities  for  retailers,  according  to 
AMR  Research. 

Percentage  of  participants  planning  to  up-  BSI  Point  of  sale 
grade  or  replace  the  following  applications*:  Retail  planning 
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capture  and  video  management, 
along  with  packages  for  analyz¬ 
ing  customer  demographics  and 
behavior. 

Along  with  the  start-ups,  there 
will  be  plenty  of  established 
companies  exhibiting  at  Retail 
Systems.  Several,  including 
Evant,  JDA  Software  and  Retek, 
are  expected  to  showcase  tools 
for  improving  stores’  forecasting 


BellSouth  unveils  IP  Centrex 

Offering  is  the  first  network-based  VoIP  service  from  the  RBOC. 


■  BY  JIM  DUFFY 

BellSouth  last  week  unveiled  an  IP  Centrex 
service  for  businesses  looking  to  meld  voice 
and  data  services. 

The  Centrex  IP  service,  available  through¬ 
out  BellSouth’s  nine-state  Southeast  region, 
provides  traditional  Centrex  voice  services 
along  with  browser-based  call  management 
functions  that  link  users  to  other  data-ori¬ 
ented  service  applications  that  VoIP 
enables.  Such  services 
include: 

•  Find  Me,  Follow  Me, 
which  sends  communica¬ 
tions  to  e-mail, voice  mail  or 
wireless  phones  based  on 
time  of  day  or  availability 

•  Access  to  incoming  and 
outgoing  call  history  for 
tracking,  auditing  and 
record  keeping. 

•  Click  to  Dial  and  Click  to 
Conference  functions. 

•  Instant  messaging, 
chat,  polling  and  instant 
document  transfer  that 


More  online! 

Listen  to  highlight's  from  Johna  Till 
Johnson's  keynote  presentation  on  ways 
to  maximize  your  VoIP  investment. 

DocFinder:  1541 


can  run  concurrently  with  basic  voice 
conversations  for  more  interactive 
communications. 

Centrex  IP  also  reduces  the  costs  of  moves, 
adds  and  changes  because  IP  configuration 
at  the  desktop  is  less  expensive  and  time-con¬ 
suming  than  reprogramming  a  PBX, 
BellSouth  says.  The  service  also  enables 
access  to  office-calling  features  from  any 
remote  location  with  Internet  access. 

Centrex  IP  is  the  latest  VoIP  offering  from 
BellSouth  and  its  first  net¬ 
work-based  service.  The 
RBOC  has  provided  equip¬ 
ment-based  VoIP  services 
to  corporations  since  2001 
and  later  this  year  will 
unveil  a  network-based, 
softswitch-enabled  non- 
Centrex  service. 

The  carrier  also  plans  to 
eventually  offer  nation¬ 
wide,  or  out-of-region,  VoIP 
services,  says  Mark  Kaish, 
BellSouth  vice  president  of 
next-generation  services. 
Other  RBOCs  offering 


VoIP  to  corporations  include  SBC,  which 
unveiled  its  PremierServ  Hosted  IP  Com¬ 
munication  Service  last  fall.  Verizon  plans  to 
offer  a  managed  VoIP  service  to  businesses 
later  this  year,  as  does  Qwest,  which  currently 
has  a  consumer  VoIP  offering  in  Minnesota. 

Centrex  IP  is  based  on  Lucent’s  EBS 
Communication  Manager,  which  works  with 
telephony  systems  to  deliver  Web-based  busi¬ 
ness  applications;  and  iMerge  Centrex  Feature 
Gateway  which  delivers  Class  5  switch  func¬ 
tionality  over  a  packet  network. 

Separately,  BellSouth  said  it  will  deploy 
Nortel’s  packet  voice  tandem  switches  for  its 
core  network.  Network  testing  is  slated  to 
begin  soon, and  deployment  is  expected  dur¬ 
ing  the  second  half  of  the  year. 

BellSouth  expects  to  roll  out  its  first  voice 
tandem  system,  which  includes  Nortel’s 
Succession  Communication  Server  (CS) 
2000  softswitch  and  Succession  Multiservice 
Gateway  4000  products,  in  Memphis.  Suc¬ 
cession  CS  2000  will  operate  as  a  tandem 
switch  in  BellSouth’s  network,  transferring 
calls  between  BellSouth  Central  Offices. 
Succession  Multiservice  Gateway  4000  is  a 
TDM-to-packet  trunking  gateway.  ■ 


and  replenishment  capabilities. 

Inventory  management  is  a  hot 
topic  as  retailers  struggle  to  find 
the  right  balance  between  buy¬ 
ing  too  much  and  buying  too  lit¬ 
tle.  Out-of-stock  conditions  hover 
around  the  8%  rate  and  cause 
billions  of  dollars  in  lost  sales 
annually,  analysts  say 

At  the  show,  Evant  will  detail 
the  deployment  results  of  one  of 
its  customers,  Camping  World.  In 
its  first  six  months  of  using 
Evant’s  replenishment  software, 
Camping  World  managed  to  cut 
its  inventory  investment  by  10% 
while  also  significantly  reducing 
out-of-stock  conditions,  says 
Chad  Selvidge,  senior  vice  presi¬ 
dent  of  merchandising  and  mar¬ 
keting  at  the  Bowling  Green,  Ky, 
retailer.  Camping  World  sells 
camping  and  recreational  vehi¬ 
cle  supplies  through  its  34  retail 
stores,  Web  site  and  catalog 
business. 

Before  deploying  the  software, 
Camping  World  conducted  a 
search  and  found  400  of  its  core 
items  were  out  of  stock  at  one 
time,  Selvidge  says.  Now  its  most 
important  items  are  in  stock 
about  99%  of  the  time. 

Radio  frequency  identification 
(RFID)  also  promises  to  be  a  hot 
topic  at  Retail  Systems.  Among 
the  users  scheduled  to  share 
their  tales  of  RFID  pilots  are 
Linda  Dillman,  CIO  of  Wal-Mart; 
Paul  Singer,  CIO  of  Target;  Neco 
Can,  senior  director  of  develop¬ 
ment  at  Abercrombie  &  Fitch; 
and  Mike  O’Shea,  director  of 
Auto  ID/RFID  strategies  and  tech¬ 
nologies  at  Kimberly-Clark.  ■ 
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Introducing  the  new  HP  ProLiant  DL145  server  featuring  the  performance-boosting  AMD  Opteron™  processor. 

You  can  now  unleash  greater  server  performance  even  as  you  rein  in  spending.  Our  new  HP  ProLiant  DL145  server  turns  up  the  dial  on  32-bit  performance, 
owing  to  the  lightning-quick  memory  access  of  the  AMD  Opteron  processors.  Setup  is  simple.  And  based  on  industry  standards,  the  DL145  is  exceedingly 
flexible  and  scalable  to  fit  seamlessly  into  your  network,  now  and  many  quarters  down  the  road.  When  you  need  technology  solutions  that  work  harder 
within  your  budget,  demand  more  affordability  and  more  performance,  from  HP. 
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SERVER 

$1,599 

1  xl.60GHz  AMD  Opteron  processor 
expandable  to  2  x  2.20GHz 
1GB  PC2700  DDR  SDRAM  expandable 
to  16GB 

Integrated  dual  port  10/100/1000  NICs 
1  40GB  ATA  hard  disk  drive 
1  PCI-X  64-bit/133MHz  slot 
1-Year  Limited  Global  Warranty 
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Prices  shown  are  HP  direct  prices;  reseller  and  retail  prices  may  vary.  Prices  shown  are  subject  to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping  to  recipient's  address.  For  hard  drives.  GB=billion  bytes.  Certain  warranty  restrictions  and  exclusion  -  ; 
For  complete  warranty  details,  call  1  -800-345-1518  (U.S.).  All  featured  otters  available  in  U.S.  only.  AMO.  the  AMD  Arrow  Logo,  AMD  Opteron  and  combinations  thereof  are  trademarks  of  Advanced  Micro  Devices,  Inc.  ©2004  Hewlett-Packard  Development  Company 
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center  spec  set  for  debut 


Lack  of  support  from  IBM,  Microsoft,  HP  and  others  raises  questions  about  impact 


Delegating  development 


The  DCML  Organization  has  four  working  groups  geared  toward  crafting 
data  center  management  specs. 


Working 

group: 

Framework 

Applications 
and  services 

Network 

Server 

Goal: 

Create  overall 
approach  funda¬ 
mental  to 

DCML;  identify 
processes  for 
other  groups  to 
follow. 

Define  interoper¬ 
ability  and  inter¬ 
dependency 
specifications  for 
applications  and 
services. 

Focus  on  network 
hardware,  em¬ 
bedded  operating 
systems,  config¬ 
uration,  and 
switching  and 
routing  elements. 

Define  a  format 
forexchanging 
data  to  enable 
provisioning  and 
management  of 
data  center 

servers. 

Chairs: 

Tim  Howes, 
Opsware 

Darrel  Thomas, 
EDS  Automated 
Hosting  Services; 
Eli  Egozi,  Computer 
Associates 

Dave  Roberts, 
Inkra  Networks; 
Christopher 
Burnley,  Blazent 

Ross  Schibler, 
Topspin 

Communications; 
Josh  Sirota, 
Marimba 

Rl  BY  DENISE  DUBIE 

Proponents  of  a  management  specifica¬ 
tion  scheduled  to  debut  next  week  say  it 
will  lay  the  groundwork  for  more  auto¬ 
mated  data  centers,  though  lack  of  sup¬ 
port  from  many  key  players  has  cast 
doubt  on  the  effort. 

The  Data  Center  Markup  Language 
(DCML)  Framework  Specification  1.0  is 
scheduled  to  launch  next  week  in  Las 
Vegas  at  CA  World,  an  annual  conference 
run  by  Computer  Associates,  a  leading 
DCML  supporter. 

The  XML-based  specification  will  pro¬ 
vide  an  inventory  of  data  center  elements, 
describe  how  those  pieces  interoperate 
and  define  the  various  policies  that  bind 
them  together.  The  specification  encom¬ 
passes  a  range  of  data  center  compo¬ 
nents,  from  servers  to  network  gear  and 
from  applications  to  infrastructure  soft¬ 
ware. 

Supporters  include  vendors  such  as 


BMC  Software,  Electronic  Data  Systems, 
Mercury  Interactive  and  Opsware,  and 
users  such  as  First  Data,  Lehman  Brothers 
and  the  U.S.  Census  Bureau. 

Conspicuous  by  their  absence,  however, 
are  some  leading  voices  in  the  move  to  a 
new  data  center  and  some  of  the  top  data 
center  product  suppliers.  Companies  that 
have  not  thrown  their  weight  behind  the 
effort  include  Dell,  HP  IBM,  Microsoft  and 
Sun.  Some  of  the  major  companies,  such 
as  IBM,  are  involved  in  their  own  efforts; 
some  note  that  they  are  waiting  to  see 
how  numerous  standards  efforts  shake 
out.  HP  says  it  is  keeping  an  eye  on  DCML 
through  its  partnership  with  automated 
data  center  software  maker  Opsware. 

“If  [the  DCML  Organization]  is  trying 
to  create  a  standard  for  better  service 
management  of  what  is  in  data  centers 
and  they  are  missing  the  companies 
that  supply  about  90%  of  the  compo¬ 
nents  in  data  centers,  then  they  are  in 
trouble,” says  Lance  Travis,  vice  president 


at  AMR  Research. 

Without  DCML,  proponents  say  the  new 
data  center  will  resemble  the  Tower  of 
Babel,  with  systems  and  gear  from  multi¬ 
ple  vendors  unable  to  communicate  or 
execute  on  automated  actions.The  lack  of 
communication  will  prevent  heteroge¬ 
neous  products  from  automatically  inte¬ 
grating  and  dynamically  provisioning  and 
reallocating  resources  in  the  new  data 
center,  they  say 

“We  are  getting  a  taste  of  what  the  future 
will  look  like  today  Integrating  manage¬ 
ment  systems  is  manual,  and  there  are  too 
many  sources  of  data  to  make  sense  of  it,” 
says  Tim  Howes,  director  of  the  DCML 
board  and  CTO  at  Opsware.  “A  typical 
mature  data  center  could  have  a  dozen 
management  systems  in  place  that  don’t 
talk  to  each  other.” 

Howes  says  DCML  will  complement 
industry  standards  such  as  Common 
Information  Model  and  SNMP 

As  envisioned,  a  modeling  tool  creates  a 
DCML  document  describing  a  particular 
data  center.  This  document  then  can  be 
entered  in  a  provisioning  and  configura¬ 
tion  tool  that  “builds”  a  fully  configured 
data  center  environment.  As  a  descriptive 
language,  DCML  could  be  used  to  create 
a  data  center  blueprint  defining  every 
element  that  must  be  configured  and  pro¬ 
visioned  to  re-create  the  environment 
automatically. 

“I’ve  always  found  that  data  center  man¬ 
agement,  even  when  it’s  done  extremely 
well,  is  often  done  uniquely  and  different¬ 
ly  even  among  different  data  centers  at 
the  same  company  says  Adriaan  Bouten, 
vice  president  of  IT  and  business  develop¬ 
ment  at  USAToday.com,  in  McLean,  Va. 
Bouten  is  interested  in  DCML  and  says 
he’d  like  to  see  end-user  organizations 
help  steer  vendor  companies  toward  a 
computing  model  that  will  benefit  enter¬ 
prise  IT  managers. 


“I  have  a  better  chance  of  getting  my 
vendors  to  work  together  if  something 
such  as  DCML  exists,”  he  says.  Bouten  says 
he  doesn’t  expect  a  speedy  development 
process,  as  “these  things  always  seem  to 
take  a  long  time,”  but  he  says  DCML  could 
get  “vendors  talking  in  the  same  language, 
which  indirectly  will  benefit  me.” 

Twenty  vendors  launched  the  DCML 
Organization  last  fall  and  about  45  more 
have  joined  since.  The  organization  is 
divided  into  four  working  groups  and 
plans  to  coordinate  its  efforts  with  those 
of  other  forums,  such  as  the  Distributed 
Management  Task  Force,  the  Storage 
Networking  Industry  Association  and  the 
Organization  for  the  Advancement  of 
Structured  Information  Standards 
(OASIS). 

What  remains  unclear  is  whether  DCML 
will  win  over  data  center  suppliers  such  as 
IBM,  which  has  been  active  on  a  different 
data  center  standards  effort.  Last  fall,  the 
company,  with  partners  such  as  Cisco, sub¬ 
mitted  the  Common  Base  Event  (CBE) 
format  to  OASIS  and  launched  its 
Common  Event  Infrastructure  (CEI).This 
is  based  on  the  CBE  specification,  which 
defines  a  standard  format  for  the  event 
logs  that  devices  and  software  used  to 
keep  track  of  transactions  and  other  activ¬ 
ity.  CEI  would  enable  business  process 
events  from  WebSphere  and  network 
device  events  from  Tivoli  monitoring 
products,  for  example,  to  be  integrated, 
normalized  and  correlated  on  one  screen 
for  IT  managers.  Today  that  type  of  inte¬ 
gration  would  be  manual. 

IBM  says  it  isn’t  ruling  out  working  with 
DCML,  but  that  it’s  more  focused  on  CBE 
and  CEI. 

Opsware’s  Howes  says  the  DCML  effort 
will  move  ahead  with  or  without  the  big¬ 
ger  vendors’  direct  involvement.  It’s  not 
uncommon  for  larger  vendors  to  join 
such  efforts  later  in  the  process,  he  adds.B 
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Systinet  revamps,  renames  Web  services  tools 


■  BY  JOHN  FONTANA 

Web  services  vendor  Systinet  this  week 
will  unveil  a  recharged  server  lineup  and 
a  new  gateway  for  integrating  legacy  trans¬ 
action  messaging  systems  with  the  goal  to 
provide  corporate  users  with  tools  to 
build  a  service-oriented  architecture. 

The  company  released  Systinet  Server 
for  Java  5.0,  Systinet  Server  for  C++  5.0 
and  Systinet  UDDI  Registry  5.0,  formerly 
branded  under  the  name  Web  Appli¬ 
cations  and  Services  Platform.  The  com¬ 
pany  also  introduced  Systinet  Gateway 
1 .0,  which  brokers  the  exchange  of  mes¬ 
sages  between  Web  services  applications 
and  message-oriented  middleware 
(MOM)  platforms. 

Systinet  says  it  hopes  its  servers,  gateway 
and  registry  will  let  corporate  users  build 
SOAs.  An  SOA  lets  loosely  coupled  Web 
services  application  components  interact 
with  each  other  across  a  network. 

“Systinet  is  very  much  a  platform  vendor 
and  every  platform  vendor  has  to  have  an 
SOA  story’ says  James  Kobielus,  an  analyst 
with  Burton  Group.  But  he  says  that  while 
Systinet’s  story  includes  support  for  stan¬ 
dards,  the  company  is  ahead  of  current 
customer  deployments. 

“Most  Web  services  deployments  today 
don’t  involve  [Universal  Discovery, 
Description  and  Integration],”  Kobielus 
says. The  UDDI  specification  supports  the 
creation  of  a  Web  services  catalog. 
Systinet’s  registry  has  been  upgraded  with 
support  for  UDDI  3.0,  which  adds  security 
and  subscription  features. 

Kobielus  adds  that  Systinet’s  support  for 
emerging  standards  is  a  slippery  slope. 
Systinet  officials  say  they  are  placing  early 
bets  on  the  proposed  standards  they  think 
will  stick. 

With  Server  for  Java,  Systinet  is  the  first 
Java  vendor  to  support  WS-Reliable- 
Messaging,a  proposed  Web  services  stan¬ 
dard  that  Microsoft,  IBM  and  BEA  Sys¬ 
tems  are  developing.  In  Server  for  C++, 
Systinet  is  the  first  C++  platform  to  sup¬ 
port  WS-Security,  a  standard  that  the 
Organization  for  the  Advancement  of 


\  I  / 


■  THIS  WEEK'S  QUESTION: 

From  where  did  data  center 
product  vendor  Cyclades  get 
its  name? 

Stumped?  Get  the  answer  online. 

Visit  Netmrfc  World  Fisioa  and  enter  2349  in  the  Search  box. 

www.nwfusion.com 


Structured  Information  Standards  ap¬ 
proved  in  April. 

The  newest  piece  of  the  Systinet  plat¬ 
form  is  the  gateway  which  supports  two 


proposed  standards  from  Microsoft  and 
1BM,WS-Eventing  and  WS-Addressing,  and 
established  standards  Simple  Object 
Access  Protocol  and  Web  Services 


Description  Language. 

The  gateway  costs  $25,000  per  CPU. The 
registry  starts  at  $10,000  per  CPU,  while  the 
servers  start  at  $2,000.  ■ 
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Get  in  the  running  for  $30,000  in  cash  and  services 
with  Network  World's  contest  for  IT  professionals. 

When  you  see  those  announcements  about  millions  of  dollars  in  venture  capital  being  awarded 
to  one  start-up  or  another,  have  you  ever  thought  to  yourself,  “Hey,  what  about  me?  What  about 
my  idea?"  After  all,  professionals  like  you  are  the  ones  who  know  what  products  and  services  are 
needed  to  solve  real-world  problems. 

Well,  now  is  your  chance.  Introducing  Network  World’s  “Who 
Wants  to  be  an  Entrepreneur?”  contest,  which  will  recognize 
the  best  idea  for  a  new  product,  service  or  company.The  contest, 
developed  by  NetworkWorld  in  conjunction  with  Commonwealth 
Capital,  a  venture  capital  firm  in  Wellesley,  Mass.,  is  sponsored 
by  public  relations  firm  fama  PR  of  Cambridge,  Mass.,  service 
provider  Qwest  Communications  of  Denver  and  the  law  firm 
ofTesta,  Hurwitz  &Thibeault  LLP  of  Boston. 

We’ll  give  the  winner  a  jump-start  with  venture  capital 
exposure,  $30,000  in  cash  and  paid  in-kind  professional  services, 
coverage  in  Network  World,  and  a  chance  to  rub  elbows  with 
other  entrepreneurs  at  Network  World’s  annual  Demo 
conference  and  exhibition  in  Scottsdale,  Ariz. 

So  do  you  want  to  be  an  entrepreneur?  Here’s  your  chance 
to  take  a  shot. 


Here’s  how  it  will  work: 

•  Entries  (available  at  www. 
nwfusion.com,  DocFinder:  1631) 
must  be  filled  out  and  returned 
by  midnight,  May  17. 

•  Judges  will  identify  three  to 
five  finalists.  Judges  include 
Network  World  editors  as  well 
as  representatives  from 
Commonwealth  Capital,  Gold 
Wire  Technology,  North  Bridge 
Venture  Partners,  Sigma 
Partners  andTesta,  Hurwitz  & 
Thibeault. 

•  The  winner  will  be  told  by  June 
21  and  announced  in  the  June 
28  issue  of  Network  World. 
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FINALLY  A  WAY  TO  DETECT, 
ISOLATE,  AND  ELIMINATE 
VIRUSES  AND  WORMS 
AT  THE  NETWORK  LAYER. 


For  details  or  a  free  white  paper,  call  1.888. 58. TREND 
or  go  to  www.trendmicro.com/products/nvw 


Intro diJ|_cinrr  tlio  indiistr'w,,s  first  outhronk 
prevention  appliance —  only  from  Trend  Micro. 

Deadly  viruses  and  worms  are  now  attacking  at  the  transport  level.  Combat  these  evolving 
threats  with  Trend  Micro™  Network  VirusWall™ —  the  first  and  only  appliance  designed  to 
prevent  outbreaks  at  the  network  layer.  Detect,  quarantine,  and  eliminate  threats  as  they  occur 
Assisted  by  our  award-winning  Enterprise  Protection  Strategy  and  security  experts,  you'll 
quickly  contain  viruses  and  worms  and  maintain  productivity.  Mission  accomplished. 
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N/WAN  SWITCHES  AND  ROUTERS 
ACCESS  DEVICES  ■  SERVERS  ■  VPNS 
OPERATING  SYSTEMS  ■  NETWORKED  STORAGE 
VOIP  ■  WIRELESS  NETWORKS 


Big  Blue's  mainframe  gathers  no  rust 

Big  Iron  takes  center  stage  but  Linux,  blade  servers  and  grid  computing  transform  its  role. 


■  BY  JENNIFER  MEARS 

Mainframe  customers  are  taking  a  fresh 
look  at  the  Big  Iron  that  celebrated  its  40th 
birthday  last  month.  IBM  is  spurring  things 
along  with  new  pricing  schemes;  more 


Takes 

■  3Com  last  week  announced  stack- 
able  10G  Ethernet  switches  aimed  at 
companies  interested  in  deploying 
high-density  Gigabit  to  the  desktop. 
The  SuperStack  3  Switch  3870 
comes  in  24-  and  48-port  versions  with 
10/100/1000M  bit/sec  Ethernet  on  all 
ports.  It  features  a  10G  expansion  slot 
that  could  be  used  to  link  with  a  10G 
backbone  switch,  letting  desktop 
switches  uplink  directly  with  a  LAN 
core.  The  box  also  comes  with  a  40M 
bit/sec  interconnect  for  3Com’s  pro¬ 
prietary  stacking  technology.  The 
company  is  touting  the  switches  as  a 
way  to  plan  for  future  10G  connec¬ 
tions  to  a  10G  core.  Its  stacking  tech¬ 
nology  lets  up  to  eight  SuperStack 
3870s  be  linked  with  a  40G  bit/sec 
backplane.  The  stack  can  be  managed 
as  one  virtual  switch,  with  one  IP 
address.  The  SuperStack  3  Switch 
3870  48-port  switch  costs  $6,000  and 
the  24-port  Switch  3870  $4,000.  Both 
boxes  are  slated  to  ship  next  month. 

■  Kentrox  last  week  announced  a 
router  aimed  at  putting  enterprise- 
level  services  and  features  into  a  box 
that  connects  to  DSL  or  Ethernet  ser¬ 
vices  networks  at  sites  with  limited  or 
no  local  dedicated  IT  staff.  The  Q2300 
Ethernet  QoS  Access  Router  can 
be  deployed  in  networks  that  use 
Ethernet  or  broadband  links,  while 
adding  services  such  as  quality  of  ser¬ 
vice,  VPN,  security  and  remote  man¬ 
agement.  The  02300  Ethernet  QoS 
Access  Router  includes  a  GUI-based 
management  tool,  100  VPN  tunnel 
support,  and  firewall  and  intrusion- 
detection  features.  The  box  costs 
$895.  The  02200  is  available  for  $995. 


powerful  processors;  support  for  non-pro¬ 
prietary  technologies  such  asTCP/IRLinux 
and  Java;  and  on-demand  offerings  that  put 
the  mainframe  in  the  reach  of  even  the 
smallest  customers. 

Hewitt  Associates’  mainframe  environ¬ 
ment  is  a  classic  example  of  how  the  Big 
Iron  has  evolved.  Daniel  Kaberon,  director 
of  computer  resource  management  at  the 
human  resources  outsourcing  and  consult¬ 
ing  firm  in  Lincolnshire,  Ill.,  says  the  com¬ 
pany  still  uses  the  mainframe  as  the  foun¬ 
dation  of  its  data  center.  But  it  has  inte¬ 
grated  the  system  into  an  evolving  archi¬ 
tecture  that  links  the  mainframe  with  grid 
computing  and  blade  servers  to  get  more 
processing  power  at  a  lower  price. 

Nevertheless,  some  industry  observers 
still  see  the  mainframe  as  a  dying  breed. 

“You  can  change  and  adapt  the  environ¬ 
ment  in  which  [the  mainframe]  works,  but 
you  can’t  turn  it  into  something  which  it  is 
not,”  says  Bob  Djurdjevic,  president  of 
Annex  Research.  “People  will  have  to  get 
rid  [of  the  mainframe]  eventually  just  as 
they  got  rid  of  key-punch  machines  and  a 
myriad  of  other  systems.” 

Djurdjevic  says  the  decline  in  mainframe 
revenue  illustrates  the  trend.  He  says  IBM 
has  seen  revenue  drop  —  save  for  an  uptick 
last  year,  the  first  upswing  in  eight  years  — 
to  where  it  accounts  for  about  4%  of  Big 
Blue’s  overall  revenue.  But  that’s  still  around 


■  BY  ROBERT  MCMILLAN 

Two  weeks  after  announcing  plans  to  in¬ 
tegrate  an  Ethernet  switch  from  Cisco  into 
its  BladeCenter  servers,  IBM  last  week  an¬ 
nounced  a  similar  deal  with  Brocade 
Communications  to  create  new  integrated 
Fibre  Channel  switches  for  the  same  line  of 
high-density  servers. 

By  combining  BladeCenter  with  intelli¬ 
gent  switches,  IBM  is  looking  to  give  cus¬ 
tomers  a  simple  way  to  consolidate  serv¬ 
ers  and  storage. 

The  Brocade  switches,  called  the  Entry 
SAN  Switch  Module  and  the  Enterprise 
SAN  Switch  Module,  are  similar  to  Bro¬ 
cade’s  SilkWorm  3850  switch  except  they 
will  contain  a  more-sophisticated  software 
stack,  says  Rob  Sauerwalt,  the  global  prod¬ 
uct  manager  for  IBM  eServer  BladeCenter. 


$4  billion,  according  to  IDC  estimates. 

IBM  doesn’t  break  out  revenue  for  specif¬ 
ic  product  lines,  but  did  note  in  its  annual 
report  that  zSeries  revenue  was  up  7.4%  in 
2003,  in  large  part  because  of  the  release  of 
the  z990“T-Rex”  last  spring.  In  the  first  quar¬ 
ter  this  year,  IBM  reported  that  total  delivery 
of  zSeries  computing  power  as  measured 
in  million  instructions  per  second  nearly 
doubled  compared  to  the  same  quarter  a 
year  ago. 

“This  doesn’t  come  out  and  tell  me  that 
the  mainframe  is  a  dying  platform,” 
Kaberon  says. 

He  still  runs  his  firm’s  most  critical  appli¬ 
cations  on  a  Parallel  Sysplex  cluster  of 
eight  mainframes.  But  for  those  applica¬ 
tions  —  or  parts  of  applications  —  where 
the  mainframe  doesn’t  make  sense,  Kab¬ 
eron  isn’t  shy  about  making  modifications. 

Last  fall,  Hewitt  moved  a  calculation  en¬ 
gine  that  figures  pension  benefits  off  the 
mainframe  and  onto  a  grid  of  Linux-based, 
two-processor  2.8-GHz  blades  from  IBM.  He 
says  costs  associated  with  each  calculation 
have  dropped  by  more  than  90%  because 
it  no  longer  uses  expensive  mainframe  pro¬ 
cessing  power. 

Today,  Kaberon  is  working  on  expanding 
the  grid  to  support  a  composed  print 
application  that  he  wants  to  move  off  the 
mainframe,  as  well. 

“We’re  using  the  grid  as  the  back  end  of 


The  Brocade  Enterprise  SAN  Switch  Module  is 
a  16-port  fabric  switch  that  can  link  up  to  14 
IBM  BladeCenter  server  blades  and  external 
storage  devices. 

The  switches  are  designed  to  be  plugged 
into  the  backplane  of  IBM’s  BladeCenter 
chassis,  just  like  the  Cisco  Intelligent  Giga¬ 
bit  Ethernet  Switch  Module,  which  was  an- 


the  mainframe,"  says  Kaberon,  who  will 
lead  a  session  focusing  on  this  mainframe- 
grid  architecture  later  this  month  at  the 
Grid  Today  '04  conference  in  Philadelphia. 
“We  really  look  at  the  grid  as  a  mainframe 
compute  peripheral.  It’s  a  co-processor. You 
put  the  application  on  the  mainframe  and 
then  spit  part  of  it  out  to  process  and  then 
bring  the  results  back  in. The  whole  work¬ 
load  is  managed  from  the  mainframe.” 

Choose  your  battles 

The  basic  idea,  Kaberon  says,  is  to  find 
the  best  platform  for  specific  application 
needs. 

“Go  ahead  and  make  the  mainframe  the 
center  of  your  large  database,  transaction¬ 
processing,  storage  world,  but  outsource 
pieces  that  are  sensible  to  process  off  the 
platform,”  he  says,  such  as  those  processor¬ 
intensive  applications  that  don’t  require  a 
lot  of  input  and  output.  “Don’t  move  the 
whole  workload,  just  outsource  the  action.” 

For  other  business  users,  the  focus  is  on 
bringing  more  workloads  onto  the  main¬ 
frame,  not  siphoning  them  off.  IBM  has 
been  extolling  the  capabilities  of  the 
mainframe  for  server  consolidation,  an 
important  consideration  for  many  compa¬ 
nies  dealing  with  a  proliferation  of  Intel 
and  Unix  servers. 

Sophisticated  virtualization  and  parti- 

See  Mainframe,  page  20 


nounced  April  29. 

IBM  is  promoting  the  integrated  modules 
as  easier  to  use  than  externally  connected 
switches. 

The  Entry  module  will  support  a  two- 
switch  fabric,  while  the  Enterprise  module 
will  connect  to  storage-area  network  fab¬ 
rics  with  as  many  as  239  switches. 

Both  products  will  be  available  next 
month,  Sauerwalt  says.  The  Entry  product, 
designed  for  small  and  midsize  businesses, 
will  be  priced  starting  at  $14,500.  The 
Enterprise  module  will  start  at  about 
$20,000,  he  says. 

The  combination  also  gives  IBM  another 
tool  to  battle  rivals  such  as  HR  Sun 
and  Dell. 

McMillan  is  a  correspondent  with  the 
IDG  News  Service's  San  Francisco  bureau 
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tioning  capabilities,  paired  with  improved 
support  for  Linux  and  Java  platforms  in  the 
form  of  offload  engines,  have  made  the 
mainframe  an  attractive  platform  for  server 
consolidation,  users  say. 

Bob  Massengill,  manager  of  technical  ser¬ 
vices  at  Wake  Forest  University’s  Baptist 
Medical  Center  in  Winston-Salem,  N.C., runs 
primarily  legacy  healthcare  applications  on 
the  mainframe,  but  says  he  is  considering 
moving  Oracle  databases  to  Linux  parti¬ 
tions  within  the  mainframe  to  consolidate 
30  Sun  servers  the  databases  run  on  today 

“It’s  something  we ’re  evaluating.  We ’re  try¬ 
ing  to  see  what  the  financial  gain  would 
be,”  he  says.  He  notes  that  with  the  Oracle 
licensing  scheme,  he  would  pay  just  one 
license  fee  for  each  mainframe  engine  no 
matter  how  many  virtual  machines  the 
engine  supports. 

“Also,  we’d  likely  reduce  our  management 
overhead,”  he  says.“It  would  be  simpler  and 
easier  to  manage,  and  you  could  expand 
with  lesser  cost.” 

At  Boscov’s  department  store  in  Reading, 
Pa.,  Linux  has  been  the  key  to  consolidat¬ 
ing  dozens  of  servers  onto  the  mainframe. 
Since  it  deployed  Linux  on  its  IBM  z900 
mainframe  in  2001,  the  store  has  consoli¬ 
dated  about  40  of  70  NT  servers  onto  the 
mainframe  by  turning  those  workloads 
into  Linux  instances.  Now  the  focus  is  on 
migrating  its  Web  site  off  a  server  farm  and 
onto  WebSphere  Commerce  Suite  running 
on  Linux  on  the  mainframe. 

“We,  like  all  mainframe  shops,  are  being 
squeezed  to  reduce  the  tremendous  soft¬ 


ware  costs  that  we  are  hit  with,”  says  Joe 
Boole,  technical  director  at  Boscov’s.That’s 
one  of  the  reasons  people  like  us  are  look¬ 
ing  at  open  source  operating  systems.” 

Preaching  to  the  choir? 

Despite  the  continuing  evolution  of  the 
mainframe,  analysts  still  question  how 
many  new  customers  are  turning  to  the 
platform.  IBM  won’t  comment  on  how 
much  of  its  zSeries  business  stems  from 
new  buyers, vs.  existing  mainframe  users 
upgrading  their  systems.To  attract  new  cus¬ 
tomers,  IBM  last  year  reduced  the  complex 
and  customized  pricing  system  for  zSeries 
hardware  and  software,  cutting  overall  pric¬ 
ing  by  as  much  as  80%. 

In  addition,  mainframes  are  available  to 
users  on  a  pay-per-use  basis.  That’s  what 
opened  the  door  to  the  mainframe  for 
Mobil  Travel  Guide  in  Park  Ridge, Ill. .which 
gets  mainframe  capacity-on-demand  from 
a  z990  hosted  by  IBM. 

“That  gives  us  the  flexibility  to  grow  as 
large  as  we  could  possibly  imagine  without 
having  to  shift  to  a  different  hardware  envi¬ 
ronment, change  servers  or  upgrade. ..  .And 
in  the  off-season  we  can  ramp  down  our 
capacity’  says  Paul  Mercurio,  senior  vice 
president  and  CIO  at  Mobil  Travel  Guide. 
“We  have  a  slice  of  the  z990,  which  is  a  vir¬ 
tual  Linux  partition.  From  the  standpoint  of 
our  developers  it  looks  to  us  like  we  have  a 
dedicated  Linux  server. To  IBM  it’s  a  slice  of 
a  z990  that  they  sell  to  us  on  a  utility  basis.” 

“Had  we  not  made  this  decision,  we’d 
likely  be  creating  a  complex  of  either 
Linux  or  Unix  servers,”  he  adds.“We’re  not 
large  enough  to  justify  a  mainframe  on 
our  own.”  ■ 


Mainframe  mania? 

According  to  a  recent  survey  of  about  150  attendees  at  a  Gartner  Data 
Center  Conference  session  on  the  mainframe,  large  mainframe  shops 
consider  the  40-year-old  platform  key  to  their  data  center  plans.  A  look 
at  some  of  the  results: 


How  many  mainframe  MIPS  does  your  organization  have  installed? 

“==== - - -  Ml  2003 

29%  - Ml  2002 
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Which  of  the  following  most  closely  describes  the  outlook  for  your  mainframe  environment 
for  the  next  three  years? 
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We  will  grow  our  MIPS 
through  the  growth  of 
new  and  legacy 
applications. 
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We  will  grow  our  MIPS 
primarily  because  of 
the  growth  of  legacy 
applications. 


We  will  grow  our  MIPS 
primarily  because  of 
new  applications. 


The  number  of  MIPS 
we  have  will  remain 
steady. 


What  is  the  single 
largest  inhibitor  to 
the  growth  in 
usage  of  the 
mainframe  in  your 
organization? 


Third-party 
software  costs 


1,5% 
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Management 
perception  that 
mainframe  is  outdated 


SOURCE:  GARTNER.  DECEMBER  2003 
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Novell  eases  pricing  for  Linux  support 


■  BY  ROBERT  MCMILLAN 

Novell  has  introduced  a  new  pricing 
model  for  its  SuSE  Enterprise  Linux 
operating  system  that  lets  customers  pay 
a  lower  flat  rate  for  Linux  support. 

Announced  last  week,  the  new  support 
offerings  give  Novell’s  customers  an 
alternative  to  its  existing  per-system  sup¬ 
port  contracts,  and  could  make  life  easi¬ 
er  for  Linux  users  who  have  been  criti¬ 
cal  of  the  per-system  and  per-processor 
support  offerings  of  Novell  and  its  rival 
Red  Hat. 

Users  have  complained  that  the  two 
companies’ support  licensing  plans  vio¬ 
late  the  open  source  spirit  of  Linux 
because  they  do  not  let  customers  make 
copies  of  Novell’s  SuSE  Linux  Enterprise 
Server  or  Red  Hat’s  Enterprise  Linux 
without  paying  additional  support  fees 
and  because  they  allow  for  software 
audits  that  can  involve  hefty  penalties. 

Novell’s  licensing  still  will  require  cus¬ 
tomers  to  pay  between  $100  and  $919 
per  server,  per  year,  for  what  the  compa¬ 
ny  calls  “upgrade  protection”  —  a  ser¬ 
vice  that  includes  automatic  bug  fixes, 
product  upgrades  and  security  patches. 
However,  it  will  no  longer  force  cus¬ 
tomers  to  purchase  support  contracts 
for  each  new  server  they  add. 

“You’re  still  obligated  to  pay  for  upgrade 
protection,  but  you  don’t  have  to  have  a 
separate  support  contract  for  every  one  of 


the  systems  you  add  in,”  says  Bruce  Lowry 
a  spokesman  for  Novell. 

Customers  can  purchase  a  10-incident 
Small  Business  Linux  Support  package 
from  Novell  for  $3,800  per  year,  which  will 
cover  technical  support  for  SuSE  Linux, 
Red  Carpet,  the  OpenExchange  Server, 
and  the  Ximian  desktop  and  Evolution 
Connector  for  Microsoft  Exchange  soft¬ 
ware.  Additional  five-incident  support 
packs  cost  $1,900. 

Premium  support 

Novell  also  will  support  its  Linux  prod¬ 
ucts  with  its  Novell  Premium  Support  ser¬ 
vice,  which  the  company  already  offers  to 
its  proprietary  software  users.  Novell 
Premium  Support  pricing  starts  at  $5,800 
per  year. 

Novell’s  move  to  decouple  its  upgrade 
and  service  fees  will  give  Linux  users  a  lit¬ 
tle  more  flexibility, says  Gary  Hein, a  senior 
analyst  with  Burton  Group. 

“It’s  a  little  more  practical  and  more 
realistic  model,”  Hein  says.  “Essentially 
they  are  going  away  from  requiring  a 
separate  media  kit  for  every  single  SuSE 
server.” 
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Novell  will  continue  to  offer  its  tradi¬ 
tional  per-server  support  contracts  for 
SuSE  Linux. They  will  cost  $900  per  year, 
per  server,  for  Intel-based  systems. 

The  new  support  offerings  are  available 


■  BY  TIM  GREENE 

Radware  is  updating  the  software  for 
its  Secure  Sockets  Layer  accelerator 
with  a  version  that  will  let  customers 
compress  Web  traffic  to  and  from 
servers  to  improve  response  times. 

The  company’s  CertainT  100  devices 
sit  between  Web  servers  and  the 
Internet,  intercepting  requests  to  servers 
and  handling  processing  that  otherwise 
would  bog  down  the  servers.  They  also 
make  the  interactions  between  the 
servers  and  remote  computers  more 
efficient. 

The  software  multiplexes  incoming 
HTTP  and  HTTPS  requests  to  servers  so 
the  servers  have  fewer  sessions  to  set  up 
and  tear  down.  It  also  compresses  the 
data  it  sends  back  to  remote  machines, 
making  responses  quicker  to  these 


immediately,  Lowry  says. 

McMillan  is  a  correspondent  with  the 
IDG  News  Service's  San  Francisco 
bureau. 


machines,  especially  those  connected 
to  the  Internet  by  a  low-speed  connec¬ 
tion. 

Before  the  upgrade,  CertainT  100  han¬ 
dled  SSL  processing  for  servers,  but  did¬ 
n’t  multiplex  sessions  or  compress  traf¬ 
fic. 

The  compression  boosts  the  number 
of  remote  computers  that  one  server- 
side  Internet  connection  can  handle  at 
once,  because  each  response  requires 
less  bandwidth,  the  company  says. 

The  company  also  is  announcing  the 
availability  of  a  compression  card  for 
CertainT  100  that  offloads  the  compres¬ 
sion  from  the  box’s  CPU. 

The  CertainT  100  costs  $9,000,  and  the 
card  costs  $6,500.  The  software  is  a  free 
upgrade  for  customers  with  a  service 
contract,  and  it  ships  standard  with  new 
purchases.  ■ 


Radware  revamps 
acceleration  software 


www.iss.net 


When  business  losses  are  measured  in  seconds, 
preemption  beats  ‘'reaction”  every  time. 


The  only  effective  security  is  preemption.  This  preemptive  power  is  only  available  with  the  Proventia’"  Security  Platform  from  Internet 
Security  Systems.  When  software  security  flaws  are  discovered,  Internet  Security  Systems’  world-renowned  research  team  updates  Proventia 
to  immediately  shield  against  any  attacks  targeting  weak  spots.  Regardless  of  the  size  of  your  business,  this  new  standard  in  Internet 
security  can  help  keep  you  off  the  path  to  disaster  and  reduce  your  total  cost  of  ownership  -  In  fact,  when  we  manage  Proventia  for  you, 
we'll  even  guarantee  protection.  Need  proof?  Get  your  free  whitepaper,  Preemptive  Protection:  Setting  a  New  Standard  in  Security,  at 
www.iss.net/proof/whitepaper  or  call  800-776-2362. 


Q Internet  Security  Systems” 

Ahead  of  the  threat. 


ISS  PROTECTION 


CISCO 


TIME 


ISS  PREEMPTS  THE  THREAT.  OTHERS  REACT  TO  IT. 


FIREWALL  I  ANTIVIRUS  I  INTRUSION  PREVENTION  I  WEB  FILTERING  I  MAIL  SECURITY  I  MANAGED  SERVICES  VULNERABILITY  ASSESSMENT 


Infrastructure 


www.nwfusion.com 


Mostly  an  issue  of  trust 


22 

NetworkWorld  1 

5/17/04 

Johnny  Carsons  first  national  TV  gig 
was  as  host  (from  1957  to  1962)  of  a 
game  show  called  “Who  Do  You 
Trust?”  It  was  patterned  after  the  earlier 
Groucho  Marx  show  called  “You  Bet  Your 


Life.”!  was  reminded  of  this  show  during  a 
lively  e-mail  discussion  with  a  number  of 
readers  of  my  Identity  Management  news¬ 
letter  (www.nwfusion.com,  DocFinder: 
2029)  about  various  identity  federation 


schemes  that  required  your  identity  data 
to  be  stored  with  third  parties. 

While  many  people  were  willing  to  store 
some  of  their  personal  information  with 
supposedly  trusted  institutions  (banks, 
credit  card  companies,  the  postal  ser¬ 
vice),  it  seems  no  one  is  willing  to  trust  all 
his  data  to  any  one  institution.While  some 
were  willing  to  keep  all  of  their  data  digi¬ 
tized  on  their  own  personal  computer 
(not  their  work  machine,  but  their  home 
machine),  most  realized  that  this  present¬ 
ed  difficulties  for  anyone  who  traveled  at 
all.  Keeping  the  same  data  synchronized 
on  two  or  more  devices  usually  means 
that  at  least  one  has  outdated  informa¬ 
tion. The  only  way  to  assure  the  accuracy 
of  data  is  to  have  a  single  source  of 
authority,  one  place  where  the  data  is  writ¬ 
ten  to  and  read  from. 

Even  when  I  proposed  a  design  similar 
to  a  safe  deposit  box  —  one  which 
requires  two  “keys”  (PKI  tokens)  to 
unlock  —  there  were  still  holdouts. 
These  people  pointed  out  that  banks 
must  yield  up  their  secure  boxes  to  valid 
court  orders  while  digital  boxes  were 
subject  to  many  more  attacks  than  the 
steel  vault  at  your  savings  institution. The 
fear  of  identity  theft  overrides  any  ratio¬ 
nal  discussion  on  the  issues. 

The  really  sad  part,  though,  is  that  there 
doesn’t  seem  to  be  any  institution  in 
which  everyone  can  put  their  trust  these 
days.  Back  when  Groucho  and  Johnny 
were  hosting  their  game  shows,  people 
trusted  their  banker,  postman,  priest/min¬ 
ister/rabbi,  doctor,  lawyer,  news  reporter, 
neighbor  and  even  their  politicians  (well, 
many  of  them). It  might  be  that  the  people 
filling  these  roles  always  had  feet  of  clay 
that  we  simply  overlooked.  But  it’s  also 
very  likely  that  changes  to  society  over  the 
past  50  years  have  lead  to  a  culture  that 
no  longer  values  trust. 

Technology  can’t  create  trust  where 
society  sows  doubt  and  disbelief,  it  can 
only  hope  to  minimize  the  risk.  Deciding 
who  you  do  trust  shouldn’t  mean  you 
have  to  bet  your  life. 

Kearns,  a  former  network  administrator, 
is  a  freelance  writer  and  consultant  in 
Silicon  Valley.  He  can  be  reached  at 
wired@vquill.  com. 


The  reason  the  world's  leading  companies 
rely  on  Equant  for  their  global  communications 


Stable.  What's  more,  you  can  trust  us 
to  deliver  real  results  for  business  critical  needs. 
Solid  financials  and  steady  growth,  on  both 
client  list  and  balance  sheet.  But  don't  take 
our  word  for  it;  analysts  have  praised  Equant's 
solutions  for  global  businesses  for  years. 

Demonstrating  business  value.  And  that's 
how  we'll  earn  your  trust  -  by  understanding 
your  business  before  talking  technology. 

Our  approach  is  consultative,  not  hard-sell; 
our  people  build  relationships  by  demonstrating 
business  value  with  the  more  than  80  proven 
Equant  products  and  solutions.  We'd  like 
to  start  proving  ourselves  to  you  today. 

Go  to  the  link  below  and  see  why  Equant 
is  worthy  of  your  trust. 

wunv.equant.com/usa 


(^equant" 

Creating  answers  together. 

V _ j 


Your  business  communications  can't  be 
left  to  chance.  Fortunately,  there's  a 
provider  with  the  track  record  to  inspire 
your  confidence.  An  innovator  with  over  5  years 
experience  using  convergence-ready  MPLS 
technology  that  powers  business  solutions 
for  over  1100  companies.  A  provider  trusted 
by  the  world's  leading  companies. 

That  provider  is  Equant. 

Seamless.  And  that  trust  doesn't  stop  at 
any  border  -  because  Equant  is  everywhere. 
With  people  in  1 65  offices,  a  seamless  global 
network  that  covers  220  countries  and 
territories,  and  supported  locally  in  the  local 
language.  Our  customized  communication 
solutions  can  enable  your  key  business 
processes  wherever  you  want  to  do  business  - 
including  emerging  markets  like  India  and  China. 


SeeE^antatMETAMo^osis 

in  Chicago,  May  2Sth-27th. 


Tip  of  the  Week 


Improving  the  Lemons 
Market  with  a  Reputation 
System:  An  Experimental 
Study  of  Internet  Auctioning" 
(DocFinder:  2030)  is  a  fasci¬ 
nating  study  of  trust-building 
in  online  auctions.  For  a  bit 
of  lighter  reading,  try  Donald 
Westlake’s  “Trust  Me  on 
This"  (DocFinder:  2031). 
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NetVanta  1224STR 
The  functionality  of  five 
devices  for  the  price  of  one. 
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Introducing  the  NetVanta  1 224STR  from  ADTRANl 


Managed,  24-Port 

Layer  2  Switch 

✓ 

Gigabit  Ethernet  Uplinks 

✓ 

IP  Access  Router 

✓ 

Stateful  Inspection  Firewall 

✓ 

DSU/CSU 

✓ 

QoS 

✓ 

VLAN  trunking 

✓ 

Command  Line  Interface  (CLI) 

✓ 

Intuitive  Web  GUI 

✓ 

ADTRAN  OS 

✓ 

Optional  Virtual  Private 
Networking 

✓ 

Optional  Dial  Backup 

✓ 

Optional  PBX  Connectivity 

✓ 

Unlimited  Telephone 

Technical  Support 

✓ 

Free  Firmware  Updates 

✓ 

5-Year  Warranty 

✓ 

Available  at  a  price  point  well  below  competing 
multi-box  solutions,  the  NetVanta  1224STR 
will  change  the  way  you  connect  remote  locations. 


Lower  the  cost  of  enterprise  connectivity  with  the  powerful  new 
NetVanta  1224STR.  This  full-function  WAN /LAN  access  platform 
does  the  work  of  five  devices  for  the  price  of  one.  Suitable  for  networks 
of  any  size,  the  NetVanta  1224STR  offers  everything  you  need  to  bring 
a  branch  office  or  remote  location  online,  including  managed  Layer  2 
Ethernet  switching,  full-featured  IP  routing,  firewall  protection,  VPN, 
and  WAN  termination — all  in  a  compact  1U  chassis.  It  is  QoS,  VLAN, 
and  Gigabit  Ethernet  capable,  and  offers  affordable  dial  backup  and 
voice  options.  ADTRAN’s  new  NetVanta  1000  Series  of  Layer  2  Ethernet 
switches  is  backed  by  a  1 00%  satisfaction  guarantee,  including  unlimited 
technical  support,  free  firmware  upgrades ,  and  a  5-year  warranty. 


Test  drive  a  NetVanta  1224STR  today! 
Win  a  free  baseball  cap! 

www.adtran.com/info/coolswitch 


877.591.3055  Technical  Questions 
877.280.8416  Where  to  Buy 


The  NetVanta  Series 


NetVanta  1000  Series  NetVanta  2000  Series  NetVanta  3000  Series 

Managed  Layer  2  Ethernet  Switches  Firewalls/VPN  IP  Routers 


The  Network  Access  Company  AdOrah 


Copyright© 2004  ADTRAN,  Inc.  All  rights  reserved.  ADTRAN  and  NetVanta  are  registered  trademarks  of  ADTRAN,  Inc.  EN70AQ42604NW 
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AVAVA 

a  higher  plane 
of  communication 


AS  YOUR  COMMUNICATION  NETWORK  gets  more 

complicated  — dare  we  say,  converged?  —  you  need  to 

toughen  your  defense.  Meet  the  complete  security  solution 

from  Avaya.  Our  mantra:  the  pucks  stop  here.  Count  on 

Avaya  Security  Solutions  to  protect  your  entire  network, 

no  matter  where  you  are  on  the  path  to  IP  telephony.  We 

take  a  holistic  approach  to  security  with  the  multi-vendor 

expertise  of  Avaya  Global  Services.  Our  industry-certified 

consultants  methodically  assess  all  your  communication 

devices,  policies  and  vulnerabilities,  inside  and  out  (no 

sneak  shots  around  the  post).  In  the  state  of  Avaya,  our 

services,  systems,  applications  and  products  assure  that 

your  converged  network  is  secure  by  design.  See  why  it’s 

no  contest  when  Avaya  security  is  minding  your  net  at 

avaya.com/secure.  Or  call  866-GO  AVAYA  today. 

IP  Telephony 

Contact  Centers 

Unified  Communication 

Services 

With  Avaya 


C  2003.  Avaya  lac.  All  Rights  Reserved 

Avaya  tho  Avaya  LOQo  and  ai<  trademarks  identified  by  09  or ,v  are  trademarks  of  Avaya  Inc  and  may 
be  toyrslerad  in  certain  jurisdictions  All  other  trademarks  are  the  property  of  thetr  respective  owners 


MINDING  YOUR  NET, 

your  voice ,  data ,  even  your  converged  network  can  be 

SAFE  AND  SECURE. 


www.nwfusion.com 


5/17/04 


NotworkWorld 
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■  PORTALS  ■  MESSAGING/GROUPWARE 

■  E-COMMERCE  ■  SECURITY 

■  MIDDLEWARE  ■  DIRECTORIES 

■  NETWORK  AND  SYSTEMS  MANAGEMENT 

■  WEB  SERVICES 


IBM  software  targets  desktop,  devices 

Workplace  Client  Technology  viewed  as  alternative  to  Microsoft  offerings. 


■  BY  JOHN  FONTANA 

IBM  last  week  made  a  brash  move  onto 
the  desktop  with  the  introduction  of  mid¬ 
dleware  designed  to  give  corporations 
alternatives  to  Microsoft.  It  also  provides 
the  flexibility  to  run  component-based 


■  Novell  last  week  announced  a 
connector  for  Microsoft  Ex¬ 
change  Server  that  lets  users  of  its 
Linux  e-mail  package  Evolution  ac¬ 
cess  Exchange  from  a  Linux  desktop. 
The  company  also  announced  that 
Novell  Evolution  2.0  would  be  avail¬ 
able  in  the  third  quarter  with  support 
for  native  GroupWise.  The  connector 
for  Exchange  will  be  open  source. 
Evolution  2.0  will  include  spam  filter¬ 
ing,  S/MIME  and  PGP  security,  and 
integration  with  Novell’s  Linux  desk¬ 
top  and  Gaim  instant-messaging 
client.  It  also  will  support  GroupWise 
6.5  for  Linux,  letting  users  use 
Evolution  to  access  their  GroupWise 
mail,  calendars  and  address  books. 
Evolution  2.0  also  will  include 
improved  offline  support  for  Internet 
Message  Access  Protocol  accounts, 
calendar  improvements  and  en¬ 
hanced  contact  management.  Evolu¬ 
tion  2.0  will  be  available  as  part  of 
Novell's  Linux  desktop.  The  connector 
can  be  downloaded  starting  May  14, 
at  www.novell.com/products/ 
connector/download.html. 

■  Citadel  announced  Hercules  3.0, 

the  third  edition  of  its  automated 
remediation  tool  for  patching,  elimi¬ 
nating  back  doors,  identifying  unnec¬ 
essary  services  and  rooting  out  weak 
passwords.  Hercules  3.0  introduces 
support  for  IBM  AIX,  HP-UX  and  the 
Macintosh  operating  system,  and  a 
feature  for  quarantining  a  desktop 
from  the  network  if  it  doesn't  pass  a 
security  check  done  by  the  Hercules 
server.  Pricing  for  Hercules  is  $995 
per  server  and  $129  per  desktop. 


software  without  sacrificing  the  sophisti¬ 
cation  or  power  of  a  fat  client  running 
natively  on  a  client  PC. 

Introduced  earlier  this  year  as  the  future 
client  for  Lotus’  Workplace  collaboration 
components,  Workplace  Client  Technol¬ 
ogy  now  will  be  used  as  a  foundation 
technology  across  its  software  portfolio.  It 
will  be  made  available  to  independent 
software  vendors  later  this  year,  IBM  says. 
Adobe,  PbopleSoft  and  Siebel  Systems  are 


System  and  network  management  ven¬ 
dor  Oculan  this  week  is  adding  upgrades 
to  its  all-in-one  appliance  to  help  users 
manage  a  range  of  Microsoft  server  soft¬ 
ware  and  some  non-Microsoft  platforms. 

With  the  introduction  of  the  5.0  versions 
of  Oculan’s  100  and  250  appliances,  the 
company  has  added  support  for  Exchange 
2003  and  2000,  Active  Directory,  Terminal 
Services  and  SQL  Server  2002.  Support  for 
SQL  Server  7.0  is  in  final  testing  and  is 
expected  to  ship  with  the  new  Oculan 
appliances. 

Oculan  also  has  added  support  via  the 
Simple  Network  Management  Protocol 
(SNMP)  for  Linux,  Novell  and  IBM’s  iSeries. 
Both  the  Microsoft  and  non-Microsoft  plat¬ 
forms  are  managed  through  one  interface. 

“The  biggest  addition  is  the  non-Microsoft 
awareness,”  says  Jim  Lyon,  IT  analyst  for 
lntegrits,  a  service  provider  in  San  Diego. 
“Now  we  can  go  and  detect  non-Microsoft 
workstations  and  collect  true  SNMP  traps 
from  the  enterprise.” 

Lyon  says  he  researched  management 
tools  from  Microsoft,  namely  Microsoft 
Operations  Manager  (MOM)  and  System 
Management  Server,  but  that  they  were  too 
costly  for  his  smaller  company  Also,  those 
tools  don’t  support  non-Microsoft  plat¬ 
forms.  Oculan  says  its  appliance  is  targeted 
at  managing  1,000  seats  or  fewer. 

Microsoft  recognizes  that  need  and  ear¬ 
lier  this  year  announced  MOM  Express, 
which  is  aimed  at  smaller  customers  with 
less-sophisticated  management  needs. 

“Microsoft  is  taking  the  message  out 
there  that  users  need  management,  but 
they’ve  missed  ease  of  use, ease  of  deploy¬ 
ment,”  says  Shane  O’Donnell,  CTO  and 


already  onboard. 

“IBM  has  taken  a  set  of  technologies  and 
turned  it  into  a  bold  initiative  —  chal¬ 
lenge  Microsoft  on  the  desktop,”  says 
David  Marshak,  an  analyst  with  the 
Patricia  Seybold  Group.  “The  Workplace 
client  is  desktop  middleware,  it’s  a  re¬ 
architecting  of  the  desktop  and  part  of  a 
major  play” 

The  Workplace  Client  Technology  is 
built  on  the  Eclipse  open  source  frame- 


Managing  Microsoft 


Active  Directory,  Server  2000, 2003 

•  Secure  updates  received/failures. 

•  Zone  transfer  failures. 

•  WINS  lookups/responses  per  second 
received/sent. 

•  Trust  domain/machine/direction/ 
status. 

•  DNS  server  availability/polling 
interval/tombstone  (2003  only). 

Microsoft  Exchange  2000, 2003 

•  Domain  name  and  group  domain  name. 

•  Server  name  and  version. 

•  Messages/bytes  processed  per  second. 

•  CPU  state. 

•  Memory  state. 


vice  president  for  Oculan. 

The  Oculan  100  and  250  are  plug-and- 
play  appliances  that  combine  network, sys¬ 
tems  and  desktop  management  with  intru¬ 
sion  detection,  vulnerability  assessment, 
asset  management  and  bandwidth  analy¬ 
sis.  The  appliance  also  supplies  network 
performance  reports  along  with  notifica¬ 
tions  and  alerts  of  suspect  events. 

For  example,  the  appliance  reports  on 
such  issues  as  user  connections,  wait 
times  and  hit  ratios  for  SQL  Server.  In 
Active  Directory,  the  Oculan  appliance 
shows  performance  matrix  such  as  total 
queries  and  responses  per  second  and 
state  information  on  replication  and  DNS 
services.  For  Exchange,  users  can  get  infor- 


work  and  made  up  of  Java-based  compo¬ 
nents,  including  a  small  database  to  sup¬ 
port  offline  data  use,  a  local  application 
server,  a  synchronization  engine  and  a 
provisioning  engine  for  dynamic  deploy¬ 
ments  and  updates. 

Applications  components  are  loaded  on 
top  of  the  middleware  and  function  as  true 
desktop  applications.The  applications  also 
are  accessible  when  not  connected  to  the 

See  IBM,  page  28 


SQL  Server  2000 

•  Lock  wait  times  and  average  lock  wait 
times. 

•  Batch  requests  per  second. 

•  Connection  memory. 

•  Log  files  size/used  size/percentage 
used. 

•  Cache  Hit  Ratio. 

Terminal  Services,  Windows  XP 

•  Maximum  connections. 

•  Transport. 

•  Encryption  level. 

•  Authentication  type. 

•  Total/active/inactive  sessions  (also 
Win  2000  Server). 


mation  such  as  messages  sent  and 
received  per  minute, queue  sizes  and  aver¬ 
age  delivery  time. 

Two  new  features,  an  Executive  View  and 
a  Network  Report  Card,  provide  data  on 
network  security  and  performance. 

Oculan  supports  the  additional  Micro¬ 
soft  platforms  using  Microsoft’s  Windows 
Management  Instrumentation,  an  API  that 
lets  systems  and  network  devices  be  con¬ 
figured  and  managed. 

The  Oculan  100  costs  about  $5,000  and 
supports  up  to  10  servers,  10  infrastructure 
devices  and  100  desktops.  The  250  costs 
about  $10,000  and  supports  up  to  25 
servers,  25  infrastructure  devices  and  250 
desktops.  ■ 


Oculan  offers  low-cost  server  mgmt 

■  BY  JOHN  FONTANA 


Oculan  this  week  will  release  the  next  version  of  its  management 
appliance,  which  adds  support  for  additional  Microsoft  server  software. 
Here  is  a  sample  of  some  of  the  supported  features  per  platform. 


'Wireless  connectivity  and  some  features  may  require  you  to  purchase  additional  software,  services  or  external  hardware.  System  performance,  battery  life,  wireless  performance  and  functionality  will 
and  software  configurations.  See  http://www.intel.com/products/centrino/more_info  for  more  information.  "Look  for  systems  with  the  Intel®  Pentium*  4  Processor  with  HT  Technology  logo  which  your 
Hyper-Threading  Technology.  Performance  will  vary  depending  on  the  specific  hardware  and  software  you  use.  See  http://www.intel.com/info/hyperthreading  for  information.  ©2004  Intel  Corporation, 
and  Itanium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  All  rights  reserved. 


centrino' 


MOBILE 
TECHNOLOGY 


Business  grows  on  smart 
IT  solutions.  And  powerful 
solutions  are  built 
on  Intel®  technology.  From 
desktop  PCs  to  laptops  and 
servers,  Intel  enterprise 
technologies  are  designed  for 
performance  and  reliability. 

So  your  company  can 
maximize  its  competitive 
advantage,  improve  customer 
responsiveness  and  keep 
growing.  For  more  details,  visit 
intel.com/business. 

intJ. 


vary  depending  on  your  specific  hardware 
system  vendor  has  verified  utilize 
Intel,  Intel  Inside, Centrino,  Pentium,  Xeon 


Mobility  is  everything.  Intel  Centrino 
mobile  technology  enables  a  new 
generation  of  wireless  laptops*— 
thin,  light  and  engineered  to 
enable  extended  battery  life. 


Productivity  first.  The  Intel®  Pentium®  4 
Processor  with  HT  Technology  can 
help  your  company’s  PCs  achieve 
up  to  25%  performance  gains**  when 
running  two  applications  at  once. 


Powerfully  versatile.  Intel  Xeon 
processor-based  servers  offer 
excellent  price/performance, 
a  wide  choice  of  applications  and 
plenty  of  headroom  to  grow. 


Enterprise  performance.  The  intei 
Itanium®  2  processor  offers 
industry-leading  performance  and 
mission-critical  reliability  to 
handle  your  most  data-intensive, 
business-critical  applications. 
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Start-up  reveals  NIC-styled  encryption 

Security's  SiNic  and  management  console  add  security  functions  to  desktops,  servers. 


■  BY  ELLEN  MESSMER 

Start-up  Seclarity  last  week  unveiled  a  security- 
based  network  interface  card  called  SiNic  that  cus¬ 
tomers  can  use  for  peer-to-peer  encryption  and  fire¬ 
wall  protection  for  desktops  and  servers. 

The  SiNic  hardware  works  like  any  generally  avail¬ 
able  NIC  but  adds  a  way  to  encrypt  and  decrypt 
based  on  policy  settings  made  by  the  Seclarity  man¬ 
agement  console. 

Through  Seclarity’s  Centralized  Management  Con¬ 
sole,  customers  can  set  requirements  for  traffic 
between  SiNic-equipped  desktops  and  servers  to  be 
encrypted  and  authenticated  using  a  range  of 
encryption  algorithms,  including  the  Advanced 
Encryption  Standard  and  Secure  Hash  Algorithm-1. 

“There’s  also  a  firewall  function  in  SiNic  so  that  based  on 
policy  the  security  manager  could  disable  all  telnet  ses¬ 
sions,  for  example,”  says  Adrian  Vanyl,  CEO  of  Seclarity 

The  Amarillo  National  Bank  has  been  beta-testing  SiNic. 

Bill  Davis,  data  security  officer  at  Amarillo,  says  the 
bank,  which  has  approximately  500  employees,  added  the 
SiNic  hardware  to  50  desktops  and  servers,  with  the  inten¬ 
tion  of  full  deployment  by  year-end. 


Seclarity's  SiNic  allows  users  to  encrypt  transactions  based  on  corporate 
policies. 


“Once  we ’re  completely  done,  we’ll  require  encryption 
for  everyone,”  says  Davis,  adding  that  this  is  the  policy 
the  bank  adopted  in  the  past  few  months  to  improve 
security. 

The  idea  of  deploying  encryption  and  firewall  protec¬ 
tion  in  hardware  rather  than  software  is  not  wholly  new. 
3Com,  Intel,  14South  and  CyberGuard’s  Snapgear  unit  all 
have  similar  kinds  of  hardware  for  encryption  or  firewall 


controls  in  desktops  and  servers. 

Seclarity’s  network  card  requires  no  changes  to  the 
desktop  or  server  applications,  according  to  Vanyl. 
And  it  does  not  rely  on  the  host’s  operating  system  as 
software-based  firewall  and  encryption  products.The 
user  doesn’t  need  special  training  because  the 
Seclarity  NIC  is  doing  the  encryption  and  authentica¬ 
tion  work  as  commanded  by  the  central  console. 

Any  user  who  is  no  longer  enabled  by  the  Central 
Management  Console,  which  also  audits  activity, 
simply  can’t  communicate  to  any  server  or  one  that 
has  an  encryption  or  authentication  policy 
enabled.  Seclarity’s  management  console  can  use 
the  corporate  Lightweight  Directory  Access 
Protocol  or  Microsoft  Active  Directory  to  distribute 
digital  certificates  to  the  SiNic  hardware. 

Seclarity,  which  makes  its  SiNic  hardware  available  this 
week,  later  intends  to  add  versions  for  USB  and  wireless 
cards.The  company  intends  to  introduce  a  gigabit-speed 
appliance  and  additional  modules  for  intrusion  detec¬ 
tion  and  intrusion  prevention  by  fall. 

The  Seclarity  Centralized  Management  Console  costs 
$10,000  and  SiNic  hardware  device  cost  from  $200  to 
$300,  depending  on  volume.  ■ 


IBM 

continued  from  page  25 

network. 

Unlike  Java  applications,  the 
Workplace  Client  Technology 
can  call  into  the  underlying  oper¬ 
ating  system,  ensuring  applica¬ 
tions  maintain  the  look  and  feel 
of  the  host  desktop. 

The  client  technology  will  run 
on  Windows  and  Linux.  A 
Macintosh  version  is  planned  for 
later  this  year. 

The  middleware  model  lets 
administrators  centrally  manage 
desktops  and  dynamically  roll 
out  and  update  applications.  A 
future  version  of  the  client  tech¬ 


nology  will  allow  for  the  compo¬ 
nents’  deletion. 

The  client  technology  was 
unveiled  in  January  at  the  annu¬ 
al  Lotusphere  conference  and  is 
slated  to  ship  next  month. 

Big  Blue  last  week  also  intro¬ 
duced  the  first  two  application 
components  that  would  incorpo¬ 
rate  Workplace  Client  Tech¬ 
nology  —  the  next  version  of 
IBM  Lotus  Workplace  Messaging, 
an  e-mail  application  and  the 
new  Workplace  Documents  for 
document  management  that 
includes  support  for  Microsoft 
Office  formats. 

The  Documents  component 
could  provide  an  alternative  for 


users  who  don’t  need  a  fully 
loaded  Windows  desktop. 

“Microsoft  doesn’t  need  to 
worry,  but  they  do  need  to 
respond,”  says  Mike  Gilpin,  an 
analyst  with  Forrester  Research. 
“The  Workplace  announcement 
positions  IBM  to  do  things  that 
traditionally  have  been  key  for 
Microsoft,  like  applications  on 
the  desktop.” 

IBM’s  twist  on  client/server 
computing  clashes  with  Micro¬ 
soft,  which  is  hoping  to  combine 
Web  services  and  future  operat¬ 
ing  system  and  application  tech¬ 
nology  to  create  a  generation  of 
“smart  clients”  that  blur  the  lines 
between  server  and  client. 


IBM  isn’t  just  aiming  for  the 
desktop.  It  also  introduced  Work¬ 
place  Client  Technology  Micro 
Edition  for  use  on  handheld  and 
other  devices,  such  as  shop-floor 
terminals  and  PDAs,  so  the  inter¬ 
face  is  consistent  regardless  of  the 
end-user  platform. 

The  Workplace  concept,  which 
began  with  Lotus,  was  to  create  a 
set  of  server-based  collaboration 
components  running  on  Web¬ 
Sphere  Application  Server  that 
could  be  accessed  via  a  browser. 

While  using  a  browser  with  serv¬ 
er-based  components  is  still  an 
option,  the  new  client  technology 
adds  the  flexibility  to  deploy 
application  logic  locally  This  taps 
into  the  PC’s  processing  powers 
and  services,  and  eliminates 
round  trips  to  the  server. 

“It’s  not  just  Lotus  Workplace 
anymore.  Now  it  is  IBM  Work¬ 
place,  and  the  technology  will  be 
used  to  support  other  IBM 
Software  Group  products,”  says 
Ken  Bisconti,  IBM’s  vice  presi¬ 
dent  of  messaging  products.  “We 
believe  there  will  always  be 
some  need  to  have  a  level  of 
client-side  code.” 

Bisconti  says  Lotus  Workplace, 
WebSphere  Everyplace  and 
Lotus  Notes  all  will  have  the  new 
client  technology  in  the  future. 

The  inclusion  of  Notes  is  the 
biggest  concern  for  traditional 
Notes  and  Domino  customers, 
many  of  whom  said  at  Lotus¬ 
phere  that  they  want  assurances 
that  their  existing  Notes  applica- 


Middieware  on  the  desktop 

IBM  is  putting  a  layer  of  middleware  on  Windows,  Linux  and  Macintosh  desktops  that 
will  marry  client/server  features  with  thin-client  computing.  Here  is  a  look  at  the 
components  of  the  Workplace  Client  Technology  middleware,  which  will  be  a  50M-  to 
lOOM-byte  download. 


Client-side  component 

Architecture 

Function 

Application  server 

Adapted  from  Extended  Services 
from  WebSphere  Everyplace. 

Provides  local  application 
processing  for  offline  use. 

Data  store 

Cloudscape  technology  acquired 
from  Informix. 

A  database  on  the  desktop. 

Provisioning 

Supported  by  Tivoli  or  open  source 
Eclipse  technology. 

Controls  distribution  of  new  compo¬ 
nents  to  desktop. 

Synchronization 

Based  on  SynchML. 

Bidirectional  replication  engine. 

1 1  The  Workplace 
announcement  posi¬ 
tions  IBM  to  do 
things  that  tradition¬ 
ally  have  been  key 
for  Microsoft,  like 
applications  on  the 
desktop.  91 

Mike  Gilpin 

Analyst,  Forrester  Research 


tions  will  run  within  the 
Workplace  Client  Technology 
framework,  which  is  planned  for 
delivery  in  Notes  7.0  early  next 
year. 

“Users  want  to  know  that  the 
front-end  Notes  client  technol¬ 
ogy  written  into  their  current 
applications  will  work,”  Seybold  s 
Marshak  says.  IBM  has  said  the 
new  technology  won’t  cause  cus¬ 
tomers  to  rip  and  replace  current 
software. 

Workplace  Client  Technology 
costs  $24  per  user.  Workplace 
Messaging  and  Workplace  Docu¬ 
ments  are  $29  per  year.  ■ 
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HP  ProCurve  Networking  solutions  at  www.hp.com/ieam/procurve 
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HP  ProCurve  Networking  delivers 
what  businesses  demand. 

That’s  why  more  and  more  businesses 
demand  HP  ProCurve  Networking. 


■  ■  '  '  '■ 

'HP  ProCurve  Networking  is  number  2  in  port  shipments  for  2003  among  all  tracked  competitors  in  North  America,  Europe,  the  Middle  East  and  Africa  according  to 
Dell’Oro  Group  s  Q4  '03  Ethernet  Switch  Report.  "For  as  long  as  you  own  the  product  (available  in  most  countries),  ©2004  Hewlett-Packard  Development  Company,  LP. 
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Profiles  in  Business 


Every  business  is  a  team  of  individuals.  And  if  you  can  maximize  teamwork,  you’ll 


maximize  productivity— which  is  where  Nokia  comes  in.  Everything  we  make,  from 
advanced  messaging  devices  to  secure  mobile  connectivity  offerings,  is  engineered  to 


give  your  team 
immediate: 


the  power  to  work  faster  and  smarter.  The  payoff  can  be 


better  decision-making, 
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Mobility:  Teamwork 

up  How  to  be  more  competitive,  more  productive,  and,  uh,  more  in  sync. 


improved  coordination,  faster  growth.  And  because  Nokia 


Nokia  security  appliance 

supports  a  variety  of  access  methods  and  devices,  your  people  can  work  on  their 
own  terms  while  taking  care  of  business  demands.  Learn  more  today.  And  give  your 


team— and  your  business— the  advantage  of  more  mobility.  Anytime,  anywhere, 
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and  on  virtually  any  device. 
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Learn  how  to  mobilize  your  team  and  increase  business 
productivity.  Download  “The  Anytime,  Anyplace 
World”  white  paper  at  »nokiaforbusiness.com 
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Forced  admissions  of  poor  security 


It  hasn’t  been  a  good  few  months  for 
San  Diego  computer  security  fans. 
Back  in  December,  San  Diego  State 
University  reported  computer  hackers 
might  have  accessed  private  records  on 


more  than  175,000  students,  alumni  and 
employees  over  the  Internet.  Last  month, 
someone  broke  into  computers  at  the  San 
Diego  Supercomputer  Center. 

On  top  of  all  that,  it  turns  out  that  private 


records,  including  Social  Security  numbers 
and  drivers  license  numbers  of  more  than 
350,000  University  of  California,  San  Diego 
applicants,  students,  faculty  and  employees 
might  have  been  exposed  to  Internet-based 
hackers  sometime  before  mid-April  when 
the  break-in  was  discovered. 

UCSD  has  been  aggressive  about  letting 
the  affected  people  know  about  the  possi¬ 
ble  exposure  of  their  private  information  — 
information  that  would  be  quite  helpful  to 
identity  thieves.  The  university  issued  a 
press  release  (see  www.nwfusion.com, 
DocFinder:  2032)  and  set  up  a  special  Web 
site  to  provide  information  and  help  (see 
http://idalert.ucsd.edu/). 

But  this  aggressiveness  to  notify  people 
that  their  identity  might  be  in  the  process  of 
being  stolen  might  not  be  entirely  because 
of  UCSD’s  sense  of  doing  the  right  thing.  Not 
quite  a  year  ago  the  California  Database 
Breach  Disclosure  Act  went  into  effect  (see 
DocFinders:  2033  and  2034).  This  act 
requires  that  California  residents  be  told  if 
personal  data  about  them  might  have  been 
exposed  during  a  computer  break-in.There 
does  seem  to  have  been  a  cluster  of  secur¬ 
ity  problems  in  San  Diego,  but  maybe  the 
reality  is  that  this  type  of  exposure  is  quite 
commonplace.  Maybe  it’s  only  the  disclo¬ 
sure  act  that  lets  us  know  about  the  prob¬ 
lems.  And  keep  in  mind  that  the  act  only 
covers  organizations  that  conduct  business 
in  California.  A  scary  thought. 

There’s  a  very  easy  workaround  for  the 
California  act  —  keep  your  data  encrypted. 
The  disclosure  act  specifically  exempts 
exposures  of  encrypted  data  from  the  noti¬ 
fication  rules.  So  if  you  don’t  want  to  fix  the 
security  of  your  systems  so  they  don’t  get 
hacked  and  so  unauthorized  people  inside 
your  company  cannot  access  the  private 
information,  then  just  encrypt  the  data.  It’s 
not  a  bad  idea  to  keep  this  data  encrypted 
even  if  you  think  you  have  good  security 

Some  things  remain  fuzzy  about  the  dis¬ 
closure  act.  For  example,  it  applies  to  “any 
person  or  business  conducting  business  in 
California.”  Does  it  apply  to  a  New  Jersey 
Web  site  selling  socks  over  the  Internet  to  a 
person  located  in  Georgia  but  whose  vot¬ 
ing  address  is  in  California?  How  about  sell¬ 
ing  the  socks  to  someone  living  in  San 
Francisco?  If  it  does  apply  how  would 
California  enforce  the  rules? 

What  quality  of  encryption  is  required  for 
someone  to  be  exempt?  Would  encrypting 
using  ROT13  work?  (DocFinder:  2035.) 

Forced  honesty  is  better  than  none,  which 
seems  to  be  the  default  for  too  many  cor¬ 
porate  lawyers  when  confronted  with  an 
embarrassing  situation.  It  would  be  better 
to  design  and  run  things  so  the  embarrass¬ 
ing  situation  doesn’t  arise  at  all. 

Disclaimer:  From  what  I  understand,  the 
Harvard  Business  and  Law  schools  have 
classes  on  “when  honesty  is  the  best  policy 
but  they  did  not  comment  on  this  topic. 

Bradner  is  a  consultant  with  Harvard  Uni¬ 
versity’s  University  Information  Systems.  He 
can  be  reached  at  sob@sob.com. 
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MORE  SECURE 

FI  REPASS* 

SECURE  REMOTE  ACCESS 


Accessing  your  corporate  network  from  a  remote  location 
can  threaten  corporate  security.  Protect  your  corporate 
assets  with  F5's  secure  SSL  VPN  appliance:  FirePass  . 

As  the  most  comprehensive,  reliable,  and  secure  remote 
access  solution,  FirePass  provides  bulletproof  security  with 
f  features  including: 

ADVANCED  AUTHENTICATION  -  FirePass  includes 
support  for  RADIUS,  LDAP,  HTTP,  two-factor  and 
Windows  Domain  Server  authentication.  Eliminate 
the  task  of  defining  each  authenticated  user  with 
automatic  user  enrollment  features. 

SMART  APPLICATION  LAYER  SECURITY  -  FirePass 
monitors  access  to  intranet  servers  to  detect  and 
thwart  application  layer  attacks,  such  as  cross-site 
scripting  attacks. 

GRANULAR  ACCESS  MANAGEMENT  -  With 
FirePass,  you'll  ensure  appropriate  access  to  sensitive 
network  resources.  Grant  access  based  on  individuals, 
groups  of  users  and  even  device  types  for  maximum, 
flexible  security. 

ADAPTIVE  CLIENT  SECURITY  -  FirePass  adapts 
security  policies  to  ensure  client  integrity.  For  example, 
FirePass  will  delete  temp/cache  files  on  public  kiosks 
and  check  for  active  virus  scan  and  personal  firewall 
programs  on  corporate  laptops. 

Now  employees,  customers  and  partners  can  securely 
access  authorized  applications  from  any  web-enabled 
device  at  any  location. 

FirePass.  Remote  access  is  now  simply  more  secure. 

Find  out  more  about  FirePass. 

Visit  www.f5.com/secure-nw  or  call  1-877-547-0298 
today  for  a  free  30  day  trial  and  access  our  free  guide, 
"Enterprise  Secure  Remote  Access." 

‘Offer  good  whil<*  supplies  tost  through  p>trUi|wting  F5  heiam  and  GoM  Advantage  Partners  m  U  S  .ind  Canada  only  from 
April  1, 2004  to  June  30,  2004  this  offer  may  not  be  combined  or  applied  in  rijniunction  with  any  other  offer*  discount'., 
promotions  or  negotiated  pricing  agreements  Your  use  of  the  evaluation  product  will  be  subp-ct  to  I  Vs  or  the  Fb  authorized 
partner's  standard  license  terms  and  conditions  fo»  evaluation  units. 


■  WIRELESS  ■  REGULATORY  AFFAIRS  ■  CARRIER  INFRASTRUCTURE  DEVELOPMENTS 


Broadband  Internet  takes  to  the  skies 


Connexion  by  Boeing  offers  passengers  access  to  the  Internet  at  flat  rates  of  $19.95  for  flights 
between  three  and  six  hours;  $29.95  for  flights  of  more  than  six  hours;  and  a  metered  cost  of 
$9.95  for  30  minutes  and  20  cents  per  subsequent  minute. 


■  BY  MARTYN  WILLIAMS 


If  Scott  Carson  gets  his  way,  the 
announcement  “We  have  reached  surfing 


■  AT&T  announced  last  week  that  it 
has  signed  an  $11  million,  five-year 
deal  with  Clarian  Health  Partners. 


The  Indianapolis  healthcare  facility  is 
connecting  14  locations  via  AT &T's 
fully  managed  Ethernet  Switched 
Service-Metropolitan  Area  Network 
service.  Clarian  is  using  the  network 
to  share  medical  research  and  clinical 
care  information  among  multiple  sites 
including  Methodist  Hospital,  Indiana 
University  Hospital  and  Riley  Hospital 
for  Children.  AT&T  also  is  providing 
local  and  long-distance  voice  services 
to  the  healthcare  facility. 

■  Following  the  recent  completion  of 
its  national  broadband  network, 
Verizon  last  week  launched  its  long- 
haul  IP  VPN  service  for  large  busi¬ 
ness,  education  and  government  cus¬ 
tomers.  Verizon's  new  service  is  avail¬ 
able  in  select  Northeast  and  mid- 
Atlantic  areas  and  will  expand 
through  the  summer  to  Verizon  mar¬ 
kets  in  the  South  and  West.  Verizon 
offers  two  service-quality  options 
and  service-level  agreements  for 
both  the  local  and  long-haul  portions 
of  its  network.  The  IP  VPN  service 
supports  standard  industry  routing 
protocols,  as  well  as  Cisco's  propri¬ 
etary  Enhanced  Interior  Gateway 
Routing  Protocol. 

■  Vodafone  Group  is  planning  a  field 
test  in  Tokyo  later  this  year  of  a  high¬ 
speed  wireless  data  system  that  can 
deliver  speeds  of  up  to  3M  bit/sec. 
Vodafone's  research  and  development 
unit  will  run  a  field  test  of  technology 
developed  by  Flarion  Technologies. 
Nextel  is  testing  the  same  system  in 
the  U.S. ,  called  Flash  (fast  low-laten¬ 
cy  access  with  seamless  handoff) 
Orthogonal  Frequency  Division 
Multiplexing,  in  the  U.S. 


altitude”  might  soon  be  as  familiar  to  air 
travelers  as  safety  demonstrations,  packs 
of  peanuts  and  stowing  the  tray  in  the 
upright  and  locked  position. 

Carson  is  CEO  of  Connexion  by 
Boeing,  a  company  formed  by  The 
Boeing  Co.  in  2000  to  deliver  broadband 
Internet  to  aircraft.  He  and  his  team 
have  traveled  the  world  in  the  last  year 
demonstrating  the  system  to  airline  cus¬ 
tomers  and  they’re  about  to  see  the  first 
fruits  of  their  work. The  service  is  ready 
to  enter  commercial  service  this  week 
when  Germany’s  Lufthansa  begins 
offering  it  on  flights  between  Europe 
and  the  U.S.  Three  more  airlines  are 
planning  to  start  service  this  year; 
Scandinavian  Airline  Systems  and 
Japan’s  All  Nippon  Airways  and  Japan 
Airlines  System;  and  at  least  another 
four  have  signed  agreements. 

“It’s  the  right  idea  at  the  right  time,”  said 
Carson  during  an  interview  in  Tokyo.“Con- 
nexion  by  Boeing  gives  [passengers]  a  lot 
of  choice  about  how  they  spend  that  time 
[on  board],  whether  it  be  listening  to 
music,  surfing  the  ’Net,  communicating 
through  instant  message  or  email  or,  if 
they  are  part  of  a  corporate  structure, 
going  through  the  firewall  and  accessing 
their  network.” 

If  Boeing  can  deliver  on  that  promise,  it 
will  be  a  considerable  advance  over 


■  BY  DENISE  PAPPALARDO 

Nextel  is  looking  to  sharpen  its  focus  on 
business  customers  with  enhancements  to 
its  push-to-talk  service  and  wireless  access 
to  Salesforce.com  applications. 

Nextel  last  week  announced  that  its 
Direct  Connect  push-to-talk  customers  can 
use  the  service  internationally  for  the  first 
time. The  wireless  service  provider  also  has 
a  new  voice  mail  feature  for  Direct 
Connect  called  NextMail. 

International  Direct  Connect  is  available 
in  Argentina,  Brazil,  Canada  and  Peru.  The 
company  plans  to  offer  service  in  Mexico 
later  this  summer.  The  service  lets  Direct 
Connect  users  based  or  traveling  to  these 
countries  use  the  push-to-talk  service. 
Customers  had  been  limited  to  using 
Direct  Connect  in  the  US.  Nextel  says  it  is 
exploring  expanding  Direct  Connect  in 
other  areas  of  the  world. 


today’s  slow  and  expensive  air-phone  ser¬ 
vice,  but  how  well  can  satellite-fed  broad¬ 
band  work?  To  answer  that  question 
Boeing  invited  several  journalists  and  cus¬ 
tomers  on  a  test  flight  in  April  from  Tokyo’s 
Haneda  airport. 

Getting  connected  was  easy. The  aircraft 
had  an  option  of  wired  or  802.11b  wire¬ 
less  LAN  (WLAN).  Like  many  other  com¬ 
mercial  WLAN  services,  a  logon  screen 


Chicago  Scenic  Studios  started  using 
Direct  Connect  about  five  years  ago,  and 
the  service  was  the  “key  reason”  the  com¬ 
pany  chose  Nextel,  says  Bob  Doepel, 
founder  of  the  company,  which  builds 
scenery  sets  for  live  events,  museums,  the¬ 
ater,  television  and  film. 

“In  the  event  industry  things  happen 
immediately  and  we  need  to  be  able  to 
communicate  immediately  Doepel  says. 
The  company  not  only  builds  sets  in  the 
U.S.but  also  in  Canada,  South  America  and 
the  Middle  East.  “It  will  be  great  to  [use 
Direct  Connect]  in  more  international 
locations,”  he  says. 

International  Direct  Connect  is  available 
with  two  pricing  options.  Nextel  offers  a 
pay-as-you-go  option  that  costs  25  cents  per 
minute  with  no  monthly  fee.  Or  users  can 
pay  a  $5  monthly  fee  and  pay  15  cents  per 
minute. 

The  NextMail  service  for  Direct  Connect 


appears  in  the  Web  browser  once  con¬ 
nected.  It  asks  for  some  personal  informa¬ 
tion  to  create  an  account  and  offered  one 
of  several  pricing  options. 

Boeing  is  selling  the  service  directly  to 
passengers  and  offers  either  flat-rate  pric¬ 
ing,  at  $19.95  for  flights  of  between  three 
and  six  hours  or  $29.95  for  flights  of  six 
hours  or  more,  or  metered  pricing,  at  $9.95 
See  Boeing,  page  34 


customers  will  let  users  record  voice  mail 
when  they  cannot  reach  another  push-to- 
talk  customer. The  message  is  stored  as  an 
MP3  file  and  delivered  to  its  intended 
party. 

Doepel  says  he’s  also  looking  forward  to 
using  NextMail.  “Right  now  if  I  can’t  get  a 
hold  of  someone  with  [a  Direct  Connect] 
alert  then  I  have  to  call  back  on  the  cell  to 
leave  a  message,”  he  says.“It  would  be  nice 
to  eliminate  that  step.” 

NextMail  costs  $7.50  per  month  and  is 
available  now  in  advance  of  an  official 
launch  expected  by  months  end. 

The  service  provider  also  is  expected  to 
announce  access  to  CRM  software  ser¬ 
vices  from  Salesforce.com  as  early  as  this 
week.This  on-demand  CRM  service  is  also 
available  now  although  not  officially  an¬ 
nounced.  Nextel  did  not  provide  pricing, 
but  Salesforce.com  service  fees  start  at  $65 
per  month,  per  user.  ■ 


Nextel  extends  Direct  Connect  service 
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As  Tolstoy  wrote,  happy  families  are  all 
alike.  So  are  successful  companies. 
Time  and  again,  I  hear  the  same 
strategies  from  successful  organizations 
for  lowering  costs  and  measurably 
improving  employee  productivity. 

Here’s  a  rough-and-ready  benchmark  to 
gauge  how  your  company  measures  up 
against  these  successful  firms:  Give  your¬ 
self  one  point  for  every  “yes,”  and  no  points 
for  every  “no” —  and  see  below  for  how  to 
interpret  the  answers. 

•  Have  you  investigated  broadband 
opportunities  within  the  past  24  months? 
One  leading  firm  was  able  to  reduce  tele¬ 
com  costs  by  30%  —  while  increasing 


Winning  strategies  for  next-gen  network  design 


bandwidth  consumption  —  by  deploying 
metro  Ethernet.  Several  others  have  found 
that  broadband  solutions,  including  DSL 
services,  can  double  or  triple  bandwidth 
to  remote-office  locations  without 
increasing  the  price.  If  you  haven’t  looked 
at  broadband  in  a  couple  of  years,  now’s 
the  time  to  re-assess. 

•  Do  you  have  a  clear  handle  on  wire¬ 
less  costs  in  your  organization?  Most  firms 
don’t.  Cellular  voice  and  data  services 
might  consume  as  much  as  40%  of  your 
total  telecom  costs,  yet  telcos  are  rolling 
out  an  unprecedented  suite  of  low-cost 
services,  and  sweetening  the  deal  with 
features  such  as  local-number  portability 
and  Wi-Fi  hot-spot  interoperability.  If  you 
know  exactly  what  wireless  services  are 
costing  you,  congratulations.  If  not,  it  is 
time  for  an  audit. 

•  Have  you  explored  Multi-protocol 
Label  Switching  (MPLS)-based  services? 
Not  every  organization  needs  them,  but 


most  should  at  least  consider  them.  MPLS 
can  enable  large  companies  and  those 
with  international  links  to  reduce  overall 
costs  for  voice,  video  and  data  by  providing 
a  mechanism  to  integrate  all  three  forms  of 
traffic  onto  a  single  infrastructure. 

•  Have  you  assessed  or  reassessed  IP  tele¬ 
phony  within  the  past  few  months?  If  the 
last  time  you  looked  at  IP  telephony  the 
Backstreet  Boys  topped  the  charts,  it’s  time 
for  a  second  glance.  We’re  not  recommend¬ 
ing  a  huge  upgrade  of  your  existing  TDM 
PBX.  But  IP  telephony  technology  has  mat¬ 
ured,  and  companies  are  beginning  to  reap 
tangible  benefits  in  the  form  of  moves-adds- 
changes  cost  reduction,  WAN  cost  reduc¬ 
tion,  and  most  importantly  employee  pro¬ 
ductivity  Small  and  midsize  firms  stand  to 
benefit  from  IP  telephony  which  simplifies 
phone  management  and  administration. 

•  Have  you  looked  at  bandwidth  opti¬ 
mization  technology?  We’re  not  talking 
about  your  father’s  compression  boxes.Ven¬ 


dors  such  as  Packeteer  and  Peribit  Net¬ 
works  have  incorporated  features  ranging 
from  compression  to  load  balancing  to  dy¬ 
namic  quality-of-service  enablement,  with 
the  net  effect  that  you  can  reduce  traffic  on 
congested  (and  expensive)  links  by  75%  or 
more.  If  the  price  of  bandwidth  is  keeping 
you  awake  at  night,  consider  these  tools. 

If  you’ve  scored  5  out  of  5,  congratula¬ 
tions  —  and  stay  tuned  for  further  tips  on 
running  an  optimized  network.  If  you’re  at 
3  or  4  out  of  5,  that’s  still  pretty  good  —  but 
you  should  consider  spending  an  hour  or 
two  assessing  the  options  you  missed.  And 
if  you  scored  less  than  that,  it’s  time  to 
move  out  of  tactical  mode  and  invest 
some  time  and  energy  into  strategic  plan- 
ning.The  payoff  will  be  worth  it. 

Johnson  is  president  and  chief  research 
officer  at  Nemertes  Research,  an  indepen¬ 
dent  technology  research  firm.  She  can  be 
reached  at  johna@nemertes.com. 
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for  30  minutes  and  20  cents  per  subsequent 
minute. 

On  a  recent  flight,  e-mail  access  was 
smooth  and  browsing  the  Web  proved  no 
problem  at  what  seemed  like  an  accept¬ 
able  speed.  Streaming  radio  worked  with¬ 
out  a  problem  as  well  as  watching  video- 
on-demand  news  reports,  albeit  with  a  little 
buffering  on  the  higher-bandwidth  streams. 

To  try  to  tax  the  system,  a  large  file  trans¬ 
fer  tested  the  sustained  throughput  and 
navigated  to  the  Japan  download  page  for 
the  Opera  Web  browser.  The  network 
responded  well  and  the  data  throughput 
was  around  300K  bit/sec,  which  meant  a 
user  was  getting  about  one-fifteenth  of  the 
shared  connection  bandwidth,  which 


■  BY  DENISE  PAPPALARDO 

Internap  Network  Services,  best  known 
as  an  IP  provider  that  offers  route  control 
services,  last  week  launched  Version  3.3  of 
its  Flow  Control  Platform  and  two  prod¬ 
ucts  that  integrate  features  from  the  equip¬ 
ment  it  gained  through  its  acquisition  last 
year  of  route  optimization  appliance  ven¬ 
dors  Sockeye  Networks  and  netVmg. 

Although  Internap  is  not  combining  its 
products  and  services  business,  the  ser¬ 
vice  provider  says  it  plans  to  roll  out  bun¬ 
dled  offerings. 

Version  3.3  of  Flow  Control  Platform  in¬ 
cludes  new  policy  management  features 
that  let  users  prioritize  for  specific  traffic 
or  users.  For  example,  a  customer  can 
determine  that  voice  traffic  always  gets 
the  highest  priority  or  that  traffic  from  the 


seemed  about  right  for  the  number  of  peo¬ 
ple  onboard. 

Boeing  says  it  isn’t  blocking  any  ports 
and  users  should  be  able  to  do  just  about 
anything. 

“We  are  not  putting  any  restrictions  on 
use,”  Carson  says.  The  company  realized 
that  blocking  and  filtering  traffic  would 
inevitably  lead  to  some  specific  corporate 
applications  not  working  and  could  hurt 
the  image  of  the  service.  VPNs  also  are 
supported. 

Users  also  won’t  find  any  blocking  or  cen¬ 
soring  of  Web  sites.  The  company  decided 
—  aside  from  the  added  complexity  filter¬ 
ing  would  bring  —  that  passengers  are 
unlikely  to  visit  objectionable  Web  sites  in 
an  aircraft,  where  other  passengers  can 
look  over  their  shoulders. 

The  backbone  of  the  system  is  a  network 


CEO,  identified  by  a  specific  IP  address, 
gets  priority  over  all  other  traffic. 

The  upgraded  software  includes  applica¬ 
tion  and  user-based  traffic  reporting. 

The  two  products  the  service  provider 
launched  are  its  FCP-120  and  its  FCR-85. 
The  FCP-120  is  a  traffic  monitoring  and 
management  device  for  a  small,  multi¬ 
homed  enterprise  network.  The  device 
includes  four  Ethernet  ports  and  can 
monitor  up  to  75M  bit/sec  of  traffic 
simultaneously.  By  comparison,  the  com¬ 
pany’s  FCP-500,  for  larger  companies, 
can  monitor  up  to  400M  bit/sec  of  traffic 
simultaneously. 

The  FCR-85  gathers  traffic  information  at 
remote  sites  and  reports  it  back  to  either 
the  FCP-120  or  FCP-500  device. 

Internap’s  products  are  available  from 
$24,900  to  $99,900.  ■ 


reaction  is  that 
$30  per  flight  is  a  bit 
too  expensive  for 
missing  half  a  day’s 
connection. . . 

izumi  Aizu 

Principal, 

Tokyo's  Asia  Network  Research 

of  transponders  leased  across  eight  com¬ 
mercial  satellites  that  provides  coverage  of 
most  major  air  routes  in  the  Northern 
Hemisphere.  Each  transponder  can  sup¬ 
port  a  downstream  5M  bit/sec  data  chan¬ 
nel,  and  Boeing  envisages  one  being  used 
initially  for  passenger  Internet  access,  says 
Stan  Deal,  vice  president  of  Connexion  by 
Boeing. 

There  are  plans  for  a  second  stream  to 
carry  live  television,  such  as  24-hour  news, 
sports  and  financial  channels,  and  a  chan¬ 
nel  for  airline  use, such  as  sending  real-time 
telemetry,  maintenance  information  and 
intracompany  communications.  Additional 
Internet  data  channels  also  can  be  added 
to  keep  up  with  demand.  The  upstream 
channel  off  the  aircraft  will  be  1M  bit/sec. 

Four  earth  stations,  in  Japan,  Russia, 
Switzerland  and  the  U.S.,  provide  the  gate¬ 
way  link  between  the  aircraft  and  a  terres¬ 
trial  network  provided  by  Internap  Network 
Services  that  carries  traffic  to  the  Internet. 

The  connection  to  the  satellite  from  the 
aircraft  is  accomplished  using  an  antenna 
designed  by  Mitsubishi  Electric.The  system 
is  mounted  in  the  top  of  the  cabin  above 
the  roof.  The  long,  thin  antenna  is  curved 
like  a  parabolic  satellite  dish  and  motors 
constantly  adjust  its  position  so  that  it 
remains  pointing  at  the  satellite  during  the 
flight,  Deal  says. 

Whether  the  service  is  a  success  might 
not  be  a  question  of  technology  or  price. 


Aircraft  cabins  are  one  of  the  few  places 
a  busy  traveler  can  get  away  from  phones, 
e-mail  and  instant  messages,  so  some 
might  resent  the  intrusion  of  the  Internet 
in  the  air. 

“My  reaction  is  that  $30  per  flight  is  a  bit 
too  expensive  for  missing  half  a  day’s  con¬ 
nection,  which  is  often  valuable  time  to  do 
other  things,”  said  Izumi  Aizu,  principal  of 
Tokyo’s  Asia  Network  Research  and  an 
adviser  to  governments  on  Internet  issues.“I 
will  use  it  if  it’s  integrated  with  business- 
class  services,  free-of-charge,  or  only  when  I 
have  a  really  urgent  need  to  send  and 
receive  messages.” 

Not  all  of  the  prospective  audience 
appears  to  be  such  a  hard  sell. 

“I  would  use  it,” said  Joi  Ito,  a  venture  cap¬ 
italist  in  Tokyo  and  frequent  traveler.  Ito 
runs  a  blog  that  he  often  updates  just 
before  and  after  taking  flights.  “The  pricing 
is  fine,  and  I’d  probably  pay  up  to  $50  or  so 
for  it.  I  would  route  my  flights  just  to  get 
such  a  plane.” 

Boeing’s  market  research  found  up  to  6% 
of  people  surveyed  would  change  their 
flight  plans,  within  a  certain  set  of  limits,  to 
get  on  board  an  aircraft  that  has  the  system, 
says  Michael  Carson,  sales  director  at 
Connexion  by  Boeing. 

Boeing’s  system  isn’t  the  only  one  focused 
on  passengers  on  aircraft.  Tenzing  Commu¬ 
nications  offers  a  store-and-forward  service 
based  on  an  on-board  server  and  the  seat- 
back  phones  in  many  aircraft.  Cathay 
Pacific  is  one  such  airline  offering  the  ser¬ 
vice,  and  charges  $9.95  per  flight  plus  60 
cents  per  lK-byte  message  or  $19.95  for  the 
entire  flight.  The  service  offers  access  to 
POP3  e-mail  boxes  and  Web-based  email 
from  services  such  as  Yahoo  and  Hotmail. 
But  corporate  accounts  that  require  VPN 
connections  to  access  or  secure  passwords 
are  not  supported. 

Williams  is  a  correspondent  with  IDG 
News  Service's  Tokyo  bureau. 
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Sprint 


More  seamless  accessibility  options. 


A  better  security  option. 


More  IP  data  options  from  Sprint. 


Sprint  has  more  IP  data  options  to  meet  your  company's 
needs  than  AT&T. 

•Sprint  IP  data  services  provide  seamless 
access  to  your  corporate  data,  enabling  you 
to  connect  your  headquarters  to  branch 
offices,  home  offices  and  mobile  employees. 

•  The  Sprint  Peerless  IP  network  is  more  secure 
since  it  has  no  connection  to  the  public  Internet. 

Get  the  facts  at  sprint.com/facts  or  call  866-700-0029 
for  a  Business  Representative. 


One  Sprint.  Many  Solutions:' 

Voice/Data  PCS  Wireless  Internet  Services  E-Business  Solutions  Managed  Services 


Accessibility  claims  based  on  the  portfolio  of  seamless  Sprint  IP  and  wireless  network  capabilities,  and  the  portfolio  of  the  AT&T  IP  network.  Security  claims  based  on  the  Sprint  Peerless  IP  network  and 
the  AT&T  IP  network.  ©Sprint  2004.  All  rights  reserved  Sprint  and  the  diamond  logo  are  trademarks  of  Sprint  Communications  Company  L.P.  All  other  marks  are  the  property  of  their  respective  owners. 
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WHO  HAS  WHAT:  Battle  for  IP  bragging  rights. 


The  rules  are  fuzzy  in  IP  numbers  game 


■  BY  CAROLYN  DUFFY  MARSAN 

When  it  comes  time  to  buy  Internet  ser¬ 
vices,  network  executives  are  inun¬ 
dated  with  measurements  that  service 
providers  use  to  show  the  size  and  perfor¬ 
mance  of  their  IP  networks. 

Number  of  points  of  presence;  number 
of  countries  supported;  amount  of  packets 
carried;  number  of  domains  connected. 

Service  providers  quote  these  and  other 
measures  to  show  that  they  have  the  largest 
or  most  expansive  or  most  interconnected 
IP  backbones. 

But  do  any  of  these  numbers  really  matter 
to  corporate  customers?  Yes  and  no,  industry 
analysts  say.  Buyers  should  consider  the  met¬ 
rics  that  ISPs  use  to  track  their  IP  networks, 
but  they  should  keep  their  own  needs  in 
mind  when  choosing  a  service  provider, 
experts  say. 

Brownlee  Thomas,  a  principal  analyst  with 
Forrester  Research,  recommends  that  buyers 
look  beyond  bandwidth  and  traffic  measurements  to 
find  out  how  service  providers  design  and  configure 
their  networks. 

“I  don’t  care  that  you  have  the  most  POPs.  I  care  that 
your  POPs  are  where  I  need  them.  I  don’t  care  that  you 
have  the  fattest  pipes.  I  care  if  you  have  the  fattest  pipes 
where  I  need  them. There’s  a  difference  between  having 
the  biggest  network  and  having  the  best  network  to 
meet  my  needs,”  Thomas  says. 

Corporate  buyers  also  must  keep  in  mind  that  no  stan¬ 
dard  methodology  exists  for  measuring  IP  networks.  No 
government  agency  or  industry  group  publishes  statis¬ 
tics  about  IP  network  size  or  performance.  Instead,  each 
ISP  measures  and  publishes  its  own  performance 
against  its  preferred  metrics.  So  buyers  have  to  be  care¬ 
ful  not  to  compare  apples  and  oranges. 

“There  is  no  forum  in  which  all  the  ISPs  participate  in 
which  we  share  all  of  our  data  using  a  consistent 
methodology  says  Fred  Briggs,  president  of  operations 
and  technology  at  MCI. 

Most  service  providers  focus  on  two  types  of  metrics: 
those  that  measure  the  size  of  their  IP  networks  and  those 
that  measure  network  performance.  In  the  first  story  of 
this  two-part  series,  we’ll  look  at  the  measurements  that 
ISPs  use  to  determine  IP  backbone  size.  Next  week,  we’ll 
look  at  how  ISPs  measure  network  performance. 

Most  top-tier  ISPs  have  similar-sized  network  back¬ 
bones  —  OC-192  pipes  running  at  10G  bit/sec  are  the 
norm  —  and  they  deploy  top-of-the-line  routers  from 
vendors  such  as  Cisco  and  Juniper.  So  bandwidth  or 
router  size  is  not  likely  a  differentiator. 

Where  buyers  can  find  differentiation  is  in  the  geo¬ 
graphic  reach  of  various  IP  networks. 

One  key  measure  is  the  number  of  countries  where  an 
ISP  owns  or  controls  network  footprint.The  ISP  that  usu¬ 
ally  wins  this  contest  is  Equant,  which  boasts  IP  services 
in  145  countries. 

Equant  earlier  this  month  won  a  major  contract  exten¬ 
sion  from  satellite  phone  service  provider  Globalstar 


because  of  the  global  reach  of  Equant’s  private  IP  net¬ 
work.  Globalstar  uses  Equant’s  IP  VPN  services  in  15 
countries  across  North  America,  Latin 
America,  Europe,  Asia  Pacific  and  the 
Middle  East. 

“The  strength  that  Equant  brought  to  the 
table  is  its  worldwide  reach.  And  the  price 
was  right,”  says  Mac  Jeffery  senior  director  for 
marketing  communications  at  Globalstar, 
which  counts  U.S.  military  operations  in 
Afghanistan  and  Iraq  among  its  customers. 
“Our  biggest  business  is  going  to  be  in  those 
odd-ball  locations  way  out  on  the  edge  of  the 
world.” 

Jeffery  says  Globalstar  plans  to  add  IP  VPN 
locations  in  Puerto  Rico,  Alaska  and  India 
over  the  next  year.“We’re  confident  that 
when  it  comes  time  to  broaden  our  net¬ 
work,  Equant  will  be  there,”  he  says. 

Another  measure  that  ISPs  boast  about  is 
the  number  of  IP  POPs  on  their  networks. 
MCI  touts  that  its  global  IP  network  features 
4,500  company-owned  POPs  on  six  conti¬ 
nents  —  all  but  Antarctica. This  is  the  figure  that  MCI 
uses  to  say  it  runs  the  largest  IP  backbone  in  the  world. 

“What  becomes  relevant  from  a  customer  standpoint 
is  how  many  POPs  you  have  in  the  world,”  Briggs  says. 
“This  metric  shows  how  many  places  I  can  get  on  your 
network  and  you  can  provide  me  with  capability!’ 

The  reach  of  an  ISP’s  network  —  whether  measured  by 
POPs  or  number  of  cities  supported  —  matters  because 
most  service-level  agreements  (SLA)  apply  once  the  cus¬ 
tomer  is  on  the  carrier’s  own  network  rather  than  a  local 
access  network. 

“Once  they  get  on  our  network,  then  the  SLAs  we  offer 
become  relevant,”  Briggs  says.“Companies  that  have 
manufacturing  or  customer  service  operations  around 
the  world  can  get  a  consistent 
quality  of  service.” 

For  corporate  buyers,  being 
able  to  get  Internet  access  from 
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POPs:  MCI,  4,500  worldwide. 


4*500 

company-owned  POPs  on 
six  continents  —  all  but 
Antarctica. 


Most  Internet  traffic  in  U.S.:  AT&T,  according  to 
RHK  study. 

Most  interconnected  IP  backbone:  MCI, 
according  toTelegeography. 

Most  private  peering  points:  Internap. 

Most  countries  with  direct  Internet  services: 

Equant,  145. 

Best  SLAs:  Sprint,  according  to  Forrester  Research. 

Best  business  development  strategy:  BT, 
according  to  Frost  &  Sullivan. 


a  particular  country  isn’t  as  important  as  what  other  IP 
services  are  available  there.  Currently,  top-tier  ISPs  are 
competing  to  see  who  can  offer  Multi-protocol  Label 
Switching  (MPLS)  service  in  the  most  countries. 

“It’s  not  just  the  raw  POP  counts  that  matter,”  says 
Christine  Sorenson,  a  technology  consultant  with  AT&T. 
“What  matters  is  where  you  can  get  the  service  you 
need  .You  need  to  ask  how  many  of  the  POPs  can  be 
used  with  an  MPLS  VPN.” 

Another  measurement  that  ISPs  use  to  describe  the  size 
of  IP  networks  is  the  amount  of  packet  traffic  carried. 

AT&T,  for  example,  asserts  that  its  North  American  IP 
backbone  carries  the  most  traffic  on  a  monthly  basis. 
Last  year,  AT&T  surpassed  MCI  to  take  the  top  spot  in  a 
ranking  of  Internet  traffic  compiled  by  telecommunica¬ 
tions  research  firm  RHK. 

“The  reason  we  pride  ourselves  on  the  amount  of  traf¬ 
fic  we  carry  is  that  it  is  an  indicator  of  the  economies  of 
scale  we  bring  to  the  market,”  says  Craig  Uthe,  IP  network 
product  management  director  for  AT&T.“About  1.3 
petabytes  of  data  per  day  goes  through  our  network.” 

AT&T  says  traffic  measurements  are  important  because 
they  show  how  widely  AT&T’s  IP  network  is  used. 

“It  gets  back  to  Metcalfe’s  Law,  which  states  that  the 
value  of  a  network  increases  with  the  number  of  nodes,” 
Sorenson  says.“If  there’s  more  traffic  on  a  network,  more 
people  who  are  trying  to  reach  each  other  are  on  that 
network,  and  the  traffic  gets  there  faster!’ 

Meanwhile,  MCI  touts  a  different  metric  —  the  number 
of  autonomous  system  network  connections  it  has  —  to 
show  the  value  of  its  IP  backbone  network.  MCI  was 
ranked  first  in  this  metric  by  TeleGeography  Research, 
which  says  this  statistic  shows  the  connectedness  of  an 
IP  network  to  the  rest  of  the  Internet. 

“We  have  historically  connected  to  the  most  number  of 
domains,”  Briggs  says,  adding  that  this  measure  is  impor¬ 
tant  because  it  shows  that  MCI  interconnects  with  the 
most  ISPs  around  the  world. 

How  interconnected  an  IP  backbone  net¬ 
work  is  matters  because  it  affects  how  quickly 
communications  can  get  from  one  ISP  to 
another,  says  Bryan  Van  Dussen,  director  of 
telecommunications  strategy  at  The  Yankee 
Group. 

“If  I  were  a  corporate  buyer,  I’d  ask  ISPs  how 
many  routes  they  were  broadcasting  and  to 
show  me  their  autonomous  system  numbers. 
Then  I’d  run  some  ping  tests  to  see  how  many 
hops  it  takes  for  my  communications  to  get 
around  the  Internet, ’’Van  Dussen  says. 

Although  the  top-tier  ISPs  spend  a  significant  amount  of 
time  and  energy  arguing  that  their  networks  are  the 
largest  according  to  particular  metrics,  corporate  buyers 
usually  care  more  about  network  performance  than  net¬ 
work  size. 

“Latency, availability  and  packet  loss:That’s  what  the 
customer  sees  and  can  measure  and  impacts  their  ser¬ 
vices,”  Briggs  says. 

Next  week:  A  closer  look  at  these  three  key  metrics  for 
IP  network  performance,  and  a  few  new  metrics  that  are 
useful  when  buying  emerging  services  such  as  VoIP 
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E-mail  appliances  shore  up  security 

■  BY  TIM  CHIU 


HOW  IT  WORKS 


E-mail  gateway  appliance 


An  e-mail  gateway  appliance  provides  advanced  management  of  message  traffic 
through  policy  enforcement  tools,  content  filters  and  detailed  reporting. 
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O  An  incoming  e-mail  makes  a  Simple  Mail  Transfer  Protocol  connection  with  ©  Once  the  message  is  filtered,  it  can  be  acted  upon  or  forwarded  to  the 
the  e-mail  appliance.  routing  module. 

O  The  appliance  checks  the  connection  for  deceptive  and  fraudulent  senders,  ©  The  routing  module  delivers  the  message  to  the  appropriate  user  based 
and  drops  those  connections  at  the  edge.  on  LDAP,  routing  tables  or  DNS. 

©  The  appliance  passes  the  remaining  messages  to  the  anti-virus,  anti-spam 
and  content  filtering  engines. 


Message  transfer  agents  sit  at  the  edge  of 
networks  and  handle  the  flow  of  e-mail 
between  the  Internet  and  internal  mail 
servers.  However,  MTAs  pose  security  risks 
because  they  interact  directly  with  the 
Internet,  and  the  operating  systems  they 
run  on  have  known  vulnerabilities.  It  can 
take  many  days  of  work  just  to  keep  up 
with  security  patches  for  services  available 
on  an  operating  system,  and  maintaining 
MTA  software  only  adds  to  the  burden. 

E-mail  gateway  appliances  have  begun  to 
replace  MTAs  at  the  edge  of  networks. 
These  appliances  are  turnkey  hardware/ 
software  solutions  that  provide  the  same 
basic  functions  as  MTAs.  But  with  these 
devices,  software  not  related  to  e-mail  pro¬ 
cessing  is  stripped  from  the  operating  sys¬ 
tem.  All  ports  that  don’t  pertain  to  email 
are  locked  down,  preventing  the  possibility 
of  an  attack  on  any  open  port.  And  all  the 
software  for  MTA  functionality  and  anti¬ 
virus,  anti-spam  and  content  filtering  has 
been  preconfigured  and  optimized. 

When  an  incoming  email  arrives  at  the 
gateway  appliance,  a  number  of  security- 
based  actions  occur. The  gateway  imposes 
a  security  measure  at  the  Simple  Mail 
Transfer  Protocol  layer  to  verify  the  SMTP 
connection,  and  drop  it  if  the  intent  seems 


Got  great  ideas 


■To  contribute  a  primer  on  a  specific 
technology,  standard  or  protocol, 
contact  Amy  Schurr,  senior  managing 
editor,  features  (aschurr@nww.com). 


fraudulent,  is  purposely  deceptive  or 
matches  known  spammer  addresses. 

The  appliances  do  this  by  verifying  a 
senders  domain  against  DNS,  looking  for 
RFC  compliance,  requiring  authentication 
and  other  protocol-based  monitoring.  This 
reduces  the  amount  of  bad  or  fraudulent 
e-mail  that  the  appliances’  anti-virus,  anti¬ 
spam  and  content-filtering  engines  will 
need  to  process. 

Finally,  the  appliances  integrate  events 
that  occur  at  the  protocol  level  and  share 
protocol-based  information  with  the  anti¬ 
virus  and  anti-spam  engine  to  provide 
increased  security  which  is  not  possible 
with  a  piecemeal,  homegrown  solution. 


The  appliances  then  apply  a  content  filter 
to  the  e-mail.  Here,  policies  pre-defined  by 
a  system  administrator  trigger  actions,  in¬ 
cluding  rejection,  discarding,  re-directing, 
quarantining,  forwarding,  excerpt  forward¬ 
ing,  attachment  removal,  passing  to  addi¬ 
tional  policy  filters  and  filing  messages  into 
specific  mailboxes.  Simplified  manage¬ 
ment  interfaces  let  administrators  config¬ 
ure  policies  and  actions. 

After  a  message  has  been  processed, an  e- 
mail  gateway  appliance  routes  it  to  the  final 
mail  server  or  holding  location.  The  appli¬ 
ance  can  use  routing  data  from  Lightweight 
Directory  Access  Protocol  (LDAP),  local 
routing  tables  or  DNS.  Decisions  on  routing 


are  based  on  the  delivery  e-mail  address  or 
domains.  An  appliance  processing  in¬ 
bound  e-mail  typically  would  use  LDAP  a 
local  routing  table  or  domain-based  routing 
to  get  the  e-mail  to  the  right  mail  server  after 
filtering  it.  For  e-mail  going  out  to  the 
Internet,  routing  typically  is  accomplished 
using  DNS  records. 

E-mail  gateway  appliances  provide  an 
easy-to-use,  easy-to-maintain  and  highly 
secure  edge  solution  for  e-mail  filtering 
and  delivery 

Chiu  is  senior  product  manager  of 
Mirapoint.  He  can  be  reached  at  tchiu@ 
mirapoint.com. 


Dr.  Internet 


By  Steve  Blass 


Even  with  patches,  anti-virus  software,  firewalls 
and  intrusion-detection  systems,  our  Windows 
systems  are  getting  infected  by  new  viruses  and 
worms.  What  other  defense  can  we  use? 

To  combat  the  recent  Sasser  worm,  visit  Micro¬ 
soft’s  Sasser  scanning  Web  page  at  www.micro 
soft.com/sasser.The  tool  will  identify  whether  a 
PC  is  infected  and  remove  the  worm  if  it  is  found. 
You  have  to  install  the  MS04-011  patch  before  the 


tool  will  work.  To  provide  additional  protection,  the 
free  Qwik-Fix  tool  from  www.pivx.com  is  helpful. 
Qwik-Fix  adjusts  Windows  security  settings  to 
block  a  number  of  holes  in  Windows  features  that 
most  users  do  not  use.  Vulnerabilities  addressed 
by  Qwik-Fix  include  IE  Zone  crossing  exploits, 
RPC/DCOM  problems,  HTA  mime-type  abuse, 
Windows  Messenger  desktop  spam,  Stream  File 
writing  and  Trojan  services,  and  protocol  handler 
problems.  The  program  supports  systems  running 


Windows  95  through  2003  Server  and  provides  for 
automatic  updates.  Other  tools  can  be  found  at 
www.grc.com.  The  site's  online  port -scanning  ser¬ 
vices  can  provide  information  for  further  tighten¬ 
ing  your  network  controls.  Consider  configuring 
your  Windows  systems  to  automatically  perform 
Windows  Updates  installation  as  well. 

Blass  is  a  network  architect  at  Change@Work.  He 
can  be  reached  at  dr.internet@changeatwork.com. 
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So  where  were  we?  Oh  yes,  the  Really 
Simple  Syndication  system  —  last 
week  was  a  veritable  banquet  of  RSS 
featuring  a  smorgasbord  of  standards,  a 
panoply  of  products  and  other  alluring 
alliterations. 

We  broke  off  in  the  middle  of  discussing 
how  a  news  aggregator  with  the  whimsical 
name  of  Syndirella  goes  about  reducing 
the  bandwidth  it  uses  when  downloading 
news  feeds. 

The  reason  that  this  matters,  as  we 
pointed  out,  is  that  should  20,000  people 
download  a  50K-byte  RSS  file  from  some 
lucky  site  once  an  hour,  it  would  require 
1 .2G  bytes  of  data  transfer  every  day  If  the 
feed  were  updated  only  twice  per  day  this 
would  be  a  profligate,  unforgivable  and 
rather  expensive  waste  of  bits. 

The  answer  is  simple  yet  subtle,  profound 
yet  passe,  logical  yet  laughably  geeky  The 
answer  is  Conditional  GET, an  HTTP  feature 
that  can  significantly  reduce  the  total  trans¬ 
fer  volume  by  telling  you  whether  the  con- 


RSS  technology, 

tent  you  request  has  changed. 

Conditional  GET  is  implemented  as  two 
fields  in  the  response  header:  Last- 
Modified  and  ETag  (see  www.nwfusion. 
com, DocFinders: 2036  and  203). What  mat¬ 
ters  is  whether  these  fields  have  changed 
since  you  last  looked  at  them  rather  than 
what  their  values  actually  are. 

To  use  these  when  you  request  content 
from  the  server,  you  include  two  fields  in 
the  HTTP  request  header.  First  there’s  an  If- 
Modified-Since  field  (see  DocFinder:  2038) 
containing  the  value  from  the  Last- 
Modified  header  you  received  (or  0  if  you 
have  never  retrieved  the  feed  before). 
Second,  there’s  an  If-None-Match  header 
field  (see  DocFinder:  2039)  with  the  value 
from  the  ETag  header  (or  0  if  never  before 
retrieved). 

If  the  content  has  changed  (that  is,  the 
RSS  file  has  been  updated  since  you  last 
downloaded  it),  the  server  will  respond  by 
sending  you  the  new  RSS  file’s  content. 

On  the  other  hand,  if  the  content  has  not 
been  changed,  the  server  will  respond  with 
a  304  code,  which  means  “Not  Modified,” 
and  the  body  of  the  reply  will  be  empty 
(see  DocFinder:  2040  for  some  examples). 

Now  why  would  you  use  the  value  from 
the  Last-Modified  and  ETag  fields  rather 
than  your  own  local  date  and  time?  You 


take  2 

guessed  it. The  chances  of  your  local  clock 
being  exactly  synchronized  with  the 
remote  Web  server  are  as  close  to  zero  as 
are  your  chances  of  winning  the  state  lot¬ 
tery  without  buying  a  ticket,  so  you  could 
expect  to  always  get  the  content  returned. 

And  when  we’re  considering  RSS  feeds 
and  Last-Modified  and  ETag  field  dates,  we 
have  to  be  aware  that  their  values  may 
have  absolutely  nothing  to  do  with  any 
time  stamp  that  the  server  might  generate 
—  for  example,  the  Apache  server  uses  a 
hash  of  the  contents  of  the  file  (see 
DocFinder:  2041). 

Anyway  now  that  optimization  is  out  of 
the  way,  what  about  that  feature  of 
Syndirella  that  lets  regular  Web  pages  be 
treated  as  if  they  were  RSS  content?  The 
way  it  works  is  Syndirella  parses  that  HTML 
and  pays  attention  to  the  tags  you  tell  it 
have  meaning.  For  example,  you  might 
specify  the  tag  <span  class=”title”>  ... 
</span>  and  <div  class=”body”>  ...  </div> 
that  define  the  title  and  content  for  each 
feed  item. 

So  Syndirella  can  turn  a  sow’s  ear  into  a 
silk  purse.  But  how  can  we  create  silk  purs¬ 
es  out  of  non-RSS  content  generated  by 
some  program  for  consumption  by  a  news 
aggregator  that  can’t  deal  with  sows’  ears? 

Here’s  a  neat  idea  on  that  theme:  A  free 
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PHP  script  that  checks  a  POP3,  Internet 
Message  Access  Protocol  (IMAP)  or  NNTP 
mailbox  on  demand  and  returns  an  RSS 
feed  containing  the  messages  in  the  mail¬ 
box.  Called  MailFeed  (DocFinder:  2042), 
the  script  produces  standards-compliant 
RSS  2.0  XML  and  requires  PHP  4.3.4+  with 
the  PHP  IMAP  extension  and  the 
Mail_Mime  PEAR  package  (included  by 
default  with  most  PHP  installs). 

And  then  there  are  services  to  do  it  for 
you:  Check  out  RSSgenr8  (DocFinder: 
2043),  an  HTML-to-RSS  converter.  You  just 
modify  the  HTML  on  your  site  to  include 
the  tags  <span  class=”rss:item”>  ...</span> 
around  items  to  be  listed  in  the  feed. 

RSSgenr8  takes  the  Web  page  title  as  the 
channel;  the  page’s  meta  description  as  the 
channel  description;  the  item  text  as  the 
description  element;  and  the  first  line  or 
first  100  characters  of  text  (any  HTML  cod¬ 
ing  is  stripped  out)  as  the  title  element. 

To  create  the  feed  you  paste  the  target 
URL  in  a  Web  form  on  the  projects  home 
page  and  submit  it;  call  the  back-end  PHP 
script  directly  (both  of  these  services  are 
free);  or  download  the  free  script  and  run  it 
on  your  own  server. 

Next  week  we'll  wrap  up  RSS.  Headlines 
to  gearhead@gibbs.com. 
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Quick  takes 
on  high-tech  toys 

By  Keith  Shaw 


There’s  more  to  NetWorld+Interop  than  just  the  latest 
big  switches,  routers  and  security  equipment.  Vendors 
always  show  off  some  cool  equipment,  and  we  got 
a  peek. 

Videoconferencing  vendor  Polycom  showed  off  its 
V500,  a  videoconferencing  appliance  geared  toward 
home  office  workers.  The  device  connects  to  a  TV  to 
provide  videoconferencing  capabilities  similar  to 
those  found  on  higher-end  Polycom  equipment. 

The  V500  weighs  about  2.5  pounds  and  produces 
video  at  up  to  30  frames  per  second.  It  uses  Polycom’s 
Siren  14  wideband  audio  (14  KHz),  and  H.264  video 
compression  to  offer  higher-quality  video  over  low- 
bandwidth  connections,  Polycom  says. The  system  will 
work  optimally  with  broadband  connections  of  256K 
bit/sec  (both  upstream  and  downstream)  or  higher. 

Other  features  include  Advanced  Encryption 
Standard  support  and  dual-moni¬ 
tor  emulation,  which  lets 
viewers  see  a  split  screen 
(view  themselves  and 
the  other  end  of  the 
videoconference), 
and  support  for  1 1 
languages. 


The  appliance  includes  a  remote  control  for  naviga¬ 
tion  through  a  TV  and  supports  several  broadband 
connections,  including  cable,  DSL,  ISDN  and  LAN 
connections.  Two  models  are  now  available  —  an 
IP-only  model  for  $2,000  and  the  1P/1SDN  model 
for  $3,000. 


The  notebook 
stands  also  can 
rotate  360  degrees, 
which  lets  users 
share  the  display 
with  other  users,  or 
access  the  back  of 
the  notebook.  The 
stands  range  in  price 
from  $20  to  $100,  de¬ 
pending  on  the  model. 


Netgear  showed  off  the  lat¬ 
est  version  of  its  802.1  lg  wire¬ 
less  access  point,  the  WG302 
ProSafe.  The  new  access  point 
offers  optional  speeds  up  to  108M 
bit/sec  (non-standard),  dynamic  rate 
shifting  and  a  wireless  distribution  system 
that  offers  point-to-point  bridging,  point-to-multipoint 
bridging  and  repeater  functionality  for  deploying  over 
large  areas,  the  company  says. 

The  access  point  includes  security  features  such  as 
802. lx  support,  VPN  pass-through,  Wi-Fi  Protected 
Access  and  Media  Access  Control  address  authentica¬ 
tion.  The  system  also  comes  with  two  detachable  5-dBi 
antennas  and  Power  over  Ethernet  (802.3af).  which 
means  it  can  be  placed  in  locations  where  power  out¬ 
lets  are  not  available.  For  management,  the  device  sup¬ 
ports  SNMP  It  costs  $350. 


American  Power  Conversion,  better  known  for  its 
cooling  systems  and  uninterruptible  power 
supplies,  also  has  several  products  aimed  at 
improving  mobility  for  road  warriors.  The 
company  was  showing  off  its  new 
ergonomic  notebook  stands, 
which  aim  to  offer  better 
positioning  of  a  note¬ 
book  for  comfort 
and  posture. 

Each  notebook 
stand  offers  differ¬ 
ent  levels  of  adjusta¬ 
bility,  to  help  cool  a  laptop 
and  ease  back,  neck  and  wrist 
strain.  One  model  also  includes  a 
built-in,  four-port  USB  2.0  hub  for  adding 
peripherals  such  as  printers,  scanners  and  a  USB  key¬ 
board  or  mouse. 


American  Power 
Conversion  is  branch¬ 
ing  out  with  the 
release  of  new 
ergonomic  notebook 
stands. 


Polycom’s  V580  offers  home  office  workers 
videoconferencing  capabilities  via  TV. 


Shaw  can  be  reached  at  kshaw@nww.com. 


A  server  engineered  to  deliver  on  both  sides 
of  the  price/performance  equation. 
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The  HP  ProLiant  DL380  G3  gives  you  true  high  performance  at  a  truly  affordable  price,  while  our  Intel*  Xeon™  processor- 

powered  HP  ProLiant  DL380  G3  server  certainly  offers  blazing  performance,  the  engineers  behind  it  would  challenge  you  to  rethink  the  definition  of 
performance  entirely.  Consider,  for  example,  what  happens  when  you  need  to  add  a  storage  device  to  a  typical  server  — the  server  must  be  powered 
down,  and  your  productivity  drops  to  zero.  This  fact  led  us  to  design  hot-pluggable  technology  on  the  DL380  that  allows  you  to  swap  out  a  number  of 
key  server  components,  including  the  reliable  and  efficient  HP  DAT72h  tape  backup  solution  without  ever  interrupting  server  operation.  The  DL380  and 
DAT72h  also  feature  space-saving  designs,  and  server  management  is  easy  yet  robust  thanks  to  our  ProLiant  Essentials  Software.  Demand  more  uptime 
and  more  real  performance  from  a  server.  And  demand  more  value,  from  HP. 


HP  ProLiant  DL380 
G3  SERVER 


$3,018 

One  Intel®  Xeon™  processor  3.06GHz  with 
512KB  cache  (upgradable  to  2  x  3.20GHz) 

1GB  PC2100DDR  SDRAM  (12GB  maximum)' 

Integrated  Lights-Out  (iLO) 
management  (standard) 

ServerWorks  GC-LE  Chipset 
Integrated  Smart  Array  5i  Plus  Controller 
Three  available  PCI-X  slots  (2  hot  pluggable) 
Two  NC7781  PCI-X  Gigabit  NICs  (embedded) 


Enhance  your  system. 


HP  STORAGEWORKS  DAT  72h 
HOT-PLUG  TAPE  DRIVE 

—  Industry-standard  DDS  technology 

—  Up  to  36GB  native  capacity  on  a  single 
tape,  72GB  at  2:1  compression^ 

—  HP  StorageWorks  One-Button  Disaster 
Recovery  (OBDR)  restores  your  entire 

\  system  at  the  touch  of  a  button 

—  Up  to  3MB/s  native  data  transfer  rate, 
6MB/s  with  2:1  compression 

$1,349 

(after  $150  instant  savings) 


*HP  StorageWorks  DAT  72h  offer  good  through  5/31/04. 


invent 


BUY  NOW 

Click  www.hp.com/go/proliantesg9 

Call  Toll  Free 

1-888-225-7535 


Reductions  taken  at  lime  of  purchase.  *HP  StorageWorte  DAT  72h  hot-plug  tape  drive  offer  ends  5/31/04.  Other  restrictions  may  apply.  Prices  sham  are  HP  direct  prices;  reseller  and  retail  prices  may  vary.  Prices  show  are  subjed  to  change  and  do  not  include  applk^  state  art  local  taxes  a  shipping  brer«!  r  ;. 
address  Limited  order  quantities.  Otters  cannot  be  oombined  with  any  other  otter  or  discount  and  are  good  while  supplies  last.  Promotions  void  where  prohibited  cx  restricted  by  law.  I-F  reserves  the  right  to  mcxlrfy  or  withdraw  these  promobons  at  any  time.  HPFSC  reserves  the  nght  to  change  or  cai<^  ttvj  croar  .n  ■„ 
any  time  without  noboe.  Tor  hard  drives,  GB=billion  bytes.  All  featured  offers  available  in  U.S.  only.  Intel,  Intel  Inside,  the  Intel  Inside  logo  and  Intel  Xeon  are  trademaite  or  registered  trademarte  of  Intel  Corporation  or  its  subsidiaries  in  the  U.S.  and  other  countries.  ©2004  Hewlett -Pac*aro  Development  Company,  LP. 
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ON  TECHNOLOGY 

John  Dix 


Outlook  good 
fromN+l 


As  the  premiere  network  trade  show,  NetWorld+ 

Interop  is  a  bellwether  of  the  industry’s  health,  and 
judging  by  those  who  made  the  trek  to  Las  Vegas 
last  week,  things  are  looking  up. 

The  show  was  larger  than  last  year,  vendors  rolled  out 
a  boatload  of  new  products  (see  www.nwfusion.com), 
and  most  suppliers  seemed  pleased  with  the  quality  of 
attendees  and  the  audience’s  upbeat  attitude. 

The  show  was  abuzz  about  security,  wireless  and  con¬ 
vergence,  which  seemed  to  overshadow  the  fact  that 
the  exhibition  filled  only  a  portion  of  one  of  the  con¬ 
vention  center's  great  halls,  where  it  used  to  take  up 
two. There  were  only  three  large  anchor  tenants  (Cisco, 
Extreme  Networks  and  Foundry  Networks),  but  Alcatel, 
F5  Networks,  Intel,  Juniper,  Polycom  and  Siemens  were 
among  the  other  vendors  that  had  prominent  booths. 

Notably  missing  were  the  major  carriers  —  only  MCI 
showed  up  —  and  the  systems/application  players;  the 
only  companies  with  a  presence  of  merit  were  HP  and 
Computer  Associates.  IBM  had  a  tiny  booth,  and  Sun 
and  Microsoft  skipped  the  event  altogether. 

That  probably  made  things  better  for  the  companies 
that  did  exhibit,  most  of  whom  seemed  pleased  to  be 
here.“There  is  great  activity,” said  Gordon  Stitt,  CEO  of 
Extreme.Teople  here  are  looking  for  solutions.” 

Dan  Simone,  co-founder  of  Trapeze  Networks,  said  he 
didn’t  get  the  impression  that  the  show  was  more  heavily 
trafficked  than  last  year,  but  he  thought  buyers  had  a 
brighter  outlook,  and  he  was  pleased  to  see  good  quality 
leads  coming  in. 

Kevin  Dunlap,  a  product  marketing  manager  for  APC, 
which  sells  data  center  infrastructure,  said  “the  show 
started  slow,  but  by  the  end  of  the  first  day  we  had  half 
of  our  lead  target  for  the  whole  show”  A  vice  president 
of  a  major  West  Coast  bank  was  in  the  APC  booth  to 
check  out  the  company’s  InfraStruXure  product,  a  rack 
system  with  built-in  power  and  cooling  for  high-density 
applications. 

“This  show  is  a  shadow  of  its  former  self,  but  1  don’t 
see  shows  like  this  going  away” said  Bobby  Johnson, 
CEO  of  Foundry. “They  still  serve  a  need.” 

John  McHugh,  vice  president  and  worldwide  general 
manager  of  HP’s  ProCurve  Networking  Business,  put  it 
this  way:“Paying  customers  are  down  quite  a  bit,  but 
that’s  because  budgets  are  down.  Last  year  and  this 
year  are  as  much  of  an  aberration  as  1999  and  2000 
weie,  but  things  are  beginning  to  swing  back  to  the 
center.” 


www.nwfusion.com 


Bitter  memories  of  3Com 

Regarding  “The  3Com  saga”  (www.nwfusion.com, 
DocFinder:  2027):  In  the  late  1990s  I  was  an  IT  man¬ 
ager  for  a  national  healthcare  provider,  in  charge  of 
designing,  purchasing  and  building  a  large  network. 
The  project  involved  purchasing  hundreds  of  small 
office/home  office  (frame  relay)  routers  for  field 
offices, several  large  core  routers  for  data  centers  and 
a  bunch  of  ATM  optical  switches  for  a  local  OC-3 
fiber-based  campus  metropolitan-area  network.  The 
short  list  came  down  to  Cisco  (high  on  quality  and 
functionality)  and  3Com  (low  on  cost). The  require¬ 
ments  were  simple  —  basically  to  route  IP  for  appli¬ 
cations  including  e-mail,  ERPbilling  and  other  busi¬ 
ness  functions.  We  really  didn’t  need  the  advanced 
feature  set  provided  in  the  more  costly  Cisco  IOS. 

During  evaluations,  we  were  given  multiple  assur¬ 
ances  that  the  CoreBuilder,  NetBuilder  and  other 
3Com  enterprise  lines  were  strong  and  would  con¬ 
tinue  in  development.  Eric  Benhamou,  then  3Com 
CEO,  even  delivered  a  keynote  address  at  a  user 
group  meeting,  in  which  he  gave  yet  more  reassur¬ 
ance  about  the  focus  and  direction  of  3Com  enter¬ 
prise  products.  The  gist  of  his  statement  was,  “These 
are  products  that  form  a  key  market  segment  for 
3Com”  and  “You  are  our  backbone  customers. . . .  We 
will  continue  to  expand  this  market.” 

We  went  with  3Com  and  saved  hundreds  of  thou¬ 
sands  of  dollars  in  the  short  term.  Life  was  good, and 
the  project  came  in  on  time  and  under  budget.  For 
about  six  months,  we  were  on  top  of  the  world. 

Then  came  that  cold  day  3Com  said  would  never 
happen,  when  they  pulled  the  rug  out  from  under  us 
and  discontinued  all  the  equipment  we  had  just  pur¬ 
chased  and  installed.That  day  had  tremendous  neg¬ 
ative  ramifications  for  my  company  and,  more 
importantly  my  own  career  and  financial  well-being. 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 18  Turnpike  Road,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 


As  the  project  manager,  I  was  seen  as  a  3Com  “bigot” 
and  held  responsible  for  the  “bad  decision.”  On  the 
verge  of  significant  new  costs,  downtime  and  im¬ 
pending  re-work,  my  days  were  numbered  as  an  em¬ 
ployee  at  that  company 

I  believe  that,  in  addition  to  the  decision  itself,  the 
way  3Com  played  this  whole  thing  out  is  a  large  part 
of  why  there  is  such  bad  blood.  We  were  sucked  in 
and  catered  to  while  being  deceived  and  lied  to  at 
the  highest  levels.Then  we  were  hurt  big  time. 3Com 
never  offered  us  any  retribution  or  assistance,  and  in 
fact  ignored  our  calls.  1  know  several  other  IT  pro¬ 
fessionals  who  were  burned  by  3Com  even  worse 
than  I  was. 

To  this  day  I  will  never  recommend  or  buy  another 
3Com  product,  either  personally  or  in  any  of  the  en¬ 
gagements  I  managed  know  I  should  forgive  and  for¬ 
get,  but  the  smugness  and  deceit  still  rubs  me  the 
wrong  way  And  the  effects  still  hurt. 

Mike  Zeigler 
Newark,  Del. 

Managing  change 

Regarding  the  “Face-off”  on  whether  patch  manage¬ 
ment  is  the  best  protection  against  software  vulner¬ 
abilities  (DocFinder:  2025):These  kinds  of  “debates” 
provide  little  value.  Stop  asking  the  vendors  for  their 
perspectives. The  truth  is  that  most  security  vendors 
amount  to  little  more  than  well-meaning  purveyors 
of  snake  oil  and  elixirs.They  take  the  focus  off  of  the 
facts,  which  are  that  nearly  80%  of  all  IT  outages  are 
caused  by  authorized,  empowered  IT  engineers 
doing  work.  A  well-thought-out  system  of  preventive, 
detective  and  corrective  controls  for  operations  staff 
is  needed,  not  intrusion  prevention  or  security  folks 
inflicting  untested  patches  on  their  operations  coun¬ 
terparts. 

Kevin  Behr 
CTO 
IP  Services 
Eugene,  Ore. 


More  online!  www.nwfusion.com  Find  out  what  readers  are  saying  about  these  and  other  topics.  DocFinder  2022 


—  John  Dix 
Editor  in  chief 
jdix@nww.com 
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STRATEGY  SESSION 

Jeff  Kaplan 


ne  of  the  primary  revenue  engines  for 
|  hardware  and  software  companies  has 
been  their  maintenance  contracts.  For 
many  years,  most  suppliers  and  customers 
took  maintenance  services  for  granted.  Nearly 
every  time  a  company  bought  a  product,  it 
also  purchased  a  maintenance  agreement 
that  provided  added  insurance  that  the  supplier  would  fix  any  prob¬ 
lems  that  occurred. Until  recently,  the  reliability  of  many  hardware  prod¬ 
ucts  was  uncertain,  and  software  vendors  could  get  away  with  pushing 
out  a  constant  stream  of  updates,  making  maintenance  agreements  a 
necessity 

As  hardware  reliability  increases  and  the  rate  of  software  revisions 
declines,  the  need  for  maintenance  agreements  has  diminished.  Prod¬ 
uct  commoditization  also  has  made  it  easy  to  simply  throw  away  a  bro¬ 
ken  hardware  device  rather  than  fix  it.  And  a  growing  revolt  among 
companies  frustrated  with  traditional  software-licensing  arrangements 
is  leading  to  the  unbundling  of  many  maintenance  agreements. 

The  consequences  are  significant  for  hardware  and  software  vendors, 
many  of  which  reap  upwards  of  75%  of  their  operating  income  from 
services,  according  to  the  IT  Service  Marketing  Association. 

Now  the  reality  of  the  Maytag  repairman  syndrome  is  upon  many  IT 
vendors.Their  customers  increasingly  believe  they  no  longer  need  their 
maintenance  services.  To  counteract  this  perception,  IT  vendors  must 
redefine  the  meaning  of  maintenance. 

If  you  ask  enterprise  executives,  end  users  or  IT  professionals  how 
they  define  product  quality,  they  will  tell  you  that  a  product  must  be 


Redefining  maintenance 


continuously  reliable,  manageable  and  secure.  Cisco  is  responding  to 
this  by  building  security  features  into  its  networking  equipment  rather 
than  offering  them  as  add-ons.  Hardware  and  software  vendors  should 
do  the  same  with  their  maintenance  agreements  by  adding  manage¬ 
ability  and  security  to  their  traditional  promise  of  reliability 
How  can  vendors  incorporate  these  additional  elements  into  their 
maintenance  agreements  economically?  Via  managed  services. 

Remote  access,  monitoring,  management  and  security  capabilities 
now  make  it  feasible  for  hardware  and  software  companies  to  offer 
multidimensional  maintenance  agreements.  Instead  of  just  reacting  to 
hardware  problems  or  periodically  issuing  software  updates,  vendors 
can  utilize  remote  services  to  cost-effectively  assume  greater  responsi¬ 
bility  for  managing  and  protecting  their  products. 

This  added  layer  of  service  also  represents  a  new  way  of  differentiat¬ 
ing  vendor  products  in  a  competitive  market.  An  increasing  number  of 
companies  are  outsourcing  to  reduce  costs  and  offload  the  hassles  of 
managing  their  IT/networking  operations.  Providing  a  multidimension¬ 
al  maintenance  service  can  satisfy  these  IT  needs  and  encourage  com¬ 
panies  to  establish  strategic  sourcing  arrangements  with  their  vendors. 

Smart  enterprise  decision-makers  recognize  that  strategic  sourcing 
arrangements  with  key  vendors  can  reduce  their  costs  and  hassles 
without  the  risks  of  outsourcing.  Urging  their  vendors  to  provide  multi¬ 
dimensional  maintenance  agreements  can  satisfy  their  needs  while 
helping  their  vendors  resolve  a  key  business  challenge. 


Customers 
increasingly 
believe  they  no 
longer  need 
their  mainte¬ 
nance  services. 


Kaplan  is  managing  director  of  THINKstrategies,  a  consultancy  in 
Wellesley,  Mass.  He  can  be  reached  at  jkaplan@thinkstrategies.com. 


REALITY  CHECK 

Thomas  Nolle 


1  hen  WorldCom  went  into  Chapter  11, 
image  tarnished  with  accounting 
issues,  it  was  a  milestone  in  the  tele¬ 
com  industry,  a  kind  of  official  ending  for  the 
bubble  period.  Now  MCI  has  been  reborn, 
and  its  re-emergence  may  mark  the  begin¬ 
ning  of  an  even  more  important  period.  MCI 
doesn’t  have  to  prove  it  can  do  accounting;  MCI  has  to  prove  it  can  sell 
services  profitably. 

The  new  MCI  enters  a  market  in  which  its  competitors  are  seeing 
downward  revenue  trends  in  every  legacy  voice/data  service.  Chapter 
1 1  let  MCI  shed  some  debt,  but  lower  costs  are  a  shield  against  falling 
revenues  and  profits  for  only  a  short  time  period.  No  matter  how  low 
you  set  the  bar  of  cost,  double-digit  declines  in  revenue  will  eventually 
hit  it. 

One  early  scenario  regarding  how  MCI  might  conduct  business  after 
reorganization  had  MCI  entering  the  market  debt-free  and  setting 
prices  at  half  the  competitors’  level.  It’s  clear  this  is  not  what  MCI  has 
planned.  Cutting  prices  wouldn’t  stop  the  revenue  declines;  it  would 
just  help  get  to  zero  revenue  more  quickly.  MCI  cannot  be  profitable, 
successful,  selling  voice  or  frame  or  ATM  or  even  VPNs. 

So  what  can  MCI  do  —  what  must  it  do? 

First,  MCI  must  ensure  customer  loyalty. To  keep  customers,  MCI  has 
had  to  discount  more. Some  customers  are  ending  long-term  contracts, 
and  MCI  needs  to  renew  these  deals  without  giving  away  the  store.The 
first  and  biggest  step  in  doing  this  is  to  ensure  that  MCl’s  network  ser¬ 
vices  are  absolutely  bulletproof,  and  make  aggressive  guarantees  on 
availability  and  quality  of  service  standard  parts  of  its  offerings.  Not  just 
aggressive,  in  fact,  but  the  best  in  the  industry  Nothing  will  hurt  MCI 
more  or  faster  than  a  big  outage  or  a  reputation  for  shaving  the  edges 
of  service-level  agreements  to  its  own  benefit. 

Second,  MCI  must  focus  not  on  current  services,  but  on  what  those  ser¬ 
vices  can  evolve  to. VoIP  is  a  fast  track  to  zero  revenues  unless  you  can 


MGI's  marching  orders 


add  useful  and  exciting  features  to  it.  Personal  Communications  over  IP 
is  the  right  path  —  a  path  that  must  integrate  instant  messaging,  voice 
mail,  e-mail,  collaboration  and  other  features  to  support  extraordinary 
customer  control  over  service  behavior.  The  alternative  to  competition 
on  price  alone  is  to  add  feature  differentiation, which  is  hard  to  do  when 
all  you’re  offering  is  basic  VoIP  services. 

Third,  MCI  must  exploit  content  and  application  services.  MCI  is  still 
one  of  the  kingpins  of  the  Internet,  and  it’s  the  evolution  of  the“all-you- 
can-eat”  basic  Internet  experience  into  something  more  profitable  that 
offers  the  company’s  greatest  long-term  hope  for  success.  IP  is  the  way 
of  the  future  for  everyone,  but  for  no  one  more  than  MCI.  UUNET  is 
MCI’s  passport  to  credibility  with  IP  services. 

Which  brings  us  to  No.  4:  MCI  must  show  the  industry  what  the 
Internet  will  become.  Not  the  thing  that  somehow  subsumes  all  of  pub¬ 
lic  communications  into  one  glorious  anti-establishment  model,  but 
rather,  the  thing  that  generates  hundreds  of  billions  of  dollars  for  U.S. 
carriers  and  a  trillion  dollars  per  year  worldwide.  Why?  Because  the  ser¬ 
vice  provider  market  is  that  big  now,  and  unless  MCI  wants  to  fight  for 
slices  of  an  increasingly  smaller  pie,  it  had  better  be  at  least  that  big  in 
the  future.  If  every  household  pays  broadband  rates  for  Internet  access, 
it  generates  only  about  $45  billion  in  revenue.  If  every  business  con¬ 
nects  to  the  Internet  for  e-commerce,  that  adds  another  $45  billion  here 
in  the  U.S. Total:  less  than  one-third  of  current  revenue,  revenue  drawn 
from  those  legacy  services  that  are  declining  every  quarter. 

MCI  was  the  intellectual  force  behind  the  Internet  generation,  for  the 
revolution  of  mass-market  data  empowerment. This  gives  it  enormous 
power  to  shape  the  future,  but  MCI  needs  to  realize  that  most  revolu¬ 
tionary  leaders  get  killed  somewhere  in  the  process.  The  difference 
between  market  leader  and  market  martyr  is  simple  —  success. 


MCI  doesn’t  have 
to  prove  it  can 
do  accounting; 
MCI  has  to  prove 
it  can  sell  ser¬ 
vices  profitably. 


Nolle  is  president  of  CIMI,  a  technology  assessment  firm  in  Voorhees, 
N.J.  He  can  be  reached  at  (856)  753-0004  or  tnolle@cimi 
corp.com. 
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Your  mobile  workforce.  An  army  of  productivity  or  multiple  points  of  entry  ripe  for  intruders?  Enter  the  self-defending  network,  with  integrated  security  woven  throughout.  A  line  of 
defense  that  delivers  security  where  security  is  needed.  Wherever  you  do  business.  Inside  the  intranet.  Outside  the  intranet.  Across  the  Internet.  Even  in  hotel  rooms  on  the  other 
side  of  the  planet.  So  your  jet-lagged  mobile  workers  stay  safe  and  secure.  And  your  business  keeps  marching  forward.  To  learn  more  about  how  Cisco  can  help  plan,  design  and 
implement  your  network  security,  visit  cisco.com/securitynow.  SELF-DEFENDING  NETWORKS  PROTECT  AGAINST  HUMAN  NATURE. 
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Armed  with  Web  application  firewalls,  intrusion-protection  systems  and 
vulnerability  scanners,  companies  can  defend  against  app-level  cyberattacks. 


Technology 

Insider: 

Web 

application 

security 

The  battle  between  hack¬ 
ers  and  security  profes¬ 
sionals  has  moved  from  the 
network  layer  to  the  Web 
applications  themselves. 
Hackers  are  using  tricky 
maneuvers  like  SOL  injec¬ 
tion,  cross-site  scripting, 
cookie  poisoning  and 
authentication  hijacking  to 
gain  access  to  and  control 
of  Web  servers.  In  this 
Technology  Insider,  we'll 
show  you  how  to  protect 
your  Web  apps. 


Tools 


Companies  are  using  a 
variety  of  tools,  including 
new,  specialized  Web  appli¬ 
cation  firewalls  to  fight 
back  against  HTTP-based 
attacks.  This  page. 


Practical  tips  for  tightening 
your  Web  applications 
defenses.  Page  50. 


Test 


Clear  Choice  Test:  We  test 
two  of  the  leading  Web  appli 
cation  firewall  appliances 
and  find  that  they  do  a  solid 
job  of  blocking  application- 
level  exploits.  Page  54. 


Online 


Find  our  Buyer's  Guide  of 
Web  application  firewalls  at 
www.nwfusion.com, 
DocFinder:  2044. 


■  BY  PAUL  DESMOND 

After  nearly  20  years  of  selling  software  to 
the  financial  services  industry,  Baker  Hill 
decided  two  years  ago  to  become  an  applica¬ 
tion  service  provider,  offering  access  to  its  pro¬ 
grams  over  the  Web. 

To  support  the  new  offering,  the  company 
built  a  Web  infrastructure  using  Microsoft  tech¬ 
nology,  including  the  Internet  Information 
Server  (IIS)  Web  server,  Active  Directory  and 
SQL  Server  2000,  says  Eric  Beasley  senior  net¬ 
work  administrator  for  Baker  Hill,  in  Carmel, 
Ind.That  technology  choice  didn’t  sit  well  with 
some  large  clients,  who  had  read  about  the 
Nimda  and  Code  Red  attacks  that  targeted 
Microsoft  platforms.  “We  had  clients  who  ulti¬ 
mately  decided  they  would  not  do  business 
with  us  unless  we  could  find  a  way  to  secure 
that  Microsoft  environment,”  Beasley  says. 


V _ 

The  hacker  playbook 


All-out  blitz  against 
Web  app 


Such  concerns  are  well  founded  because  applications  are  becom¬ 
ing  the  prime  target  for  cyberattacks.  Experts  say  firewalls  are  doing 
an  adequate  job  of  protecting  against  common  network-layer  attacks, 
and  operating  system  vendors  having  cleaned  up  most  of  their  well- 
known  vulnerabilities.  The  application  layer  is  increasingly  what’s 
left,"  says  Scott  Blake,  vice  president  of  information  security  for 
BindView. 

Another  reason  applications  are  an  attractive  target  is  there’s  no 
shortage  of  vulnerabilities  to  go  after, and  most  require  little  expertise 
to  exploit,  says  John  Pescatore.an  analyst  at  Gartner. 

Since  2002, Gartner  research  shows  that  70%  of  all  successful  attacks 
have  exploited  application  vulnerabilities.  “If  you  take  into  account 
Slammer,  Blaster  and  others  that  happened  last  year,  it’s  probably  up 
to  90%  now;”  he  says.  Pescatore  says  the  problems  being  exploited  fall 
into  two  classes:  defects  for  which  a  patch  has  been  issued  (about 
35%)  and  misconfigured  applications  (65%). 


Common  exploits  look  for  vulnerabilities  that  can  give  the  attacker 
root  access  to  server  platforms  including  Microsoft  SQL  Server,  IIS  and 
occasionally  Apache  Web  servers,  says  Fred  Avolio,  president  of  Avolio 
Consulting. 

Among  the  most  dangerous  forms  of  attack  is  SQL  injection,  where 
an  attacker  puts  unexpected  SQL  commands  into  a  Web  application 
form  field. This  could  let  an  attacker  execute  commands  on  the  back¬ 
end  database  server  and,  potentially  gain  administrator  rights.  Buffer 
overflow  attacks,  which  simply  flood  an  application  with  more  data 
than  it  can  handle,  likewise  can  give  an  attacker  the  ability  to  execute 
commands  on  a  target  system. 

Other  common  exploits  include  cross-site  scripting,  which  Blake 
says  is  common  in  phishing  attacks.  Cross-site  scripting  can  take  vari 
ous  forms,  including  tricking  users  into  connecting  to  what  appears  f- 
be  a  well-known  Web  site  to  collect  personal  information  or  takin 
over  a  user’s  Web  session. 


Defensive  maneuvers 

One  of  the  best  forms  of  defense  against  application- 
layer  attacks  is  to  avoid  following  the  crowd  because 
attackers  typically  target  the  most  commonly  deployed 
applications.  “It’s  simply  return  on  investment”  from  the 
hackers  perspective,  Blake  says.  “Deploy  less  commonly 
used  technology  to  achieve  heterogeneity  and  become  a 
smaller  target." Similarly,  homegrown  applications  are  less 
likely  targets  than  off-the-shelf  programs. 

Pescatore  is  also  a  proponent  of  diversity  in  terms  of 
operating  systems  and  server  platforms.“It  raises  the  cost 
of  IT  management,  but  it  greatly  decreases  the  odds  that 
you’re  going  to  have  a  catastrophic  outage,”  he  says. 

Another  tip  is  to  expose  to  the  Internet  only  those  ser¬ 
vices  that  you  actually  need.  Slammer,  for  example,  took 
advantage  of“a  lot  of  SQL  Server  databases  that  didn’t  need 
to  be  exposed  to  the  Internet,”  Pescatore  says.  It’s  also  a 
good  idea  to  zone  off  crucial  applications  to  limit  unnec¬ 
essary  exposure  to  the  rest  of  the  corporation.  “If  a  big 
worm  hits  my  office  zone,  that’s  pretty  annoying,”  he  says. 
“But  if  it  spreads  to  the  system  that  schedules  the  trains, 
and  the  trains  don’t  leave  the  station,  that’s  disastrous.” 

The  zone  defense 

Douglas  Brown,  manager  of  security  resources  at  the 
University  of  North  Carolina  in  Chapel  Hill,  uses  an  intru¬ 
sion-prevention  appliance  from  TippingPoint  Technol¬ 
ogies  to  segment  his  network  into  a  dozen  zones.  Should 
an  infection  be  introduced  into  a  given  zone,  the 
TippingPoint  UnityOne  2400  device  should  keep  it  con¬ 
tained  there,  Brown  says. 

The  university  was  testing  the  TippingPoint  product  last 
August  when  it  was  hit  by  the  Welchia  worm,  which  was 
launched  to  eradicate  the  Blaster  worm  that  hit  the 
Internet  the  previous  week.“We  saw  large  parts  of  our  net¬ 
work  become  unusable,  with  the  exception  of  the  part 
where  we  had  a  TippingPoint  unit,”  Brown  says. 

TippingPoint  is  an  example  of  an  intrusion-prevention 


system  (IPS)  that  relies  on  a  combination  of  attack  signa¬ 
tures  and  protocol  anomaly  detection  to  ward  off  attacks 
like  Blaster  and  its  variants.  At  least  a  month  before 
Blaster,  TippingPoint  had  released  a  signature  to  detect 
any  attack  against  the  Remote  Procedure  Call  vulnerabil¬ 
ity  that  Blaster  (and  Welchia)  targeted,  Brown  says. 

Unlike  intrusion-detection  systems  (IDS),  UnityOne  has 
not  given  him  any  problem  with  false  positives,  he  says. 
One  reason  is  that  the  device  sits  in-line,  watching  all  traf¬ 
fic  —  an  average  of  500M  bit/sec  on  one  link  —  and  keep¬ 
ing  track  of  entire  TCP  conversations,  to  provide  context. 
IDSs  such  as  the  freeware  Snort  typically  look  only  at  mir¬ 
ror  ports  and  don’t  see  all  traffic. 

Since  last  summer,  Brown  has  installed  UnityOne 
throughout  campus.  “The  ROI  for  us  is  it  has  stopped 
major  incidents  from  impacting  our  network,”  he  says. 
When  the  Witty  worm  struck  in  March,  the  TippingPoint 
unit  blocked  50,000  packets  per  hour,  making  the  worm 
“basically  a  non-event  on  this  campus,”  he  says. 

Basic  blocking  and  tackling 

Another  class  of  product,  often  called  Web  application 
firewalls,  seeks  to  protect  applications  by  only  allowing 
what  it  deems  is  legitimate  traffic.  Brown  is  testing  one 
such  device,  from  Covelight  Systems,  while  Baker  Hill’s 
Beasley  has  deployed  another,  from  Teros  (formerly 
Stratum8  Networks).  (See  review,  page  54.) 

The  Teros  Secure  Application  Gateway  “learns”  what 
constitutes  normal  application  behavior  and  creates 
rules  that  define  acceptable  application  use.  By  default, 
traffic  that  does  not  meet  those  rules  is  dropped,  Beasley 
says.  If  an  intruder  attempts  to  inject  SQL  commands,  for 
example,  the  Gateway  will  recognize  that  as  traffic  that  is 
outside  the  norm  and  disallow  it. 

“The  upside  is  we  no  longer  have  to  evaluate  patches 
and  hot  fixes  from  Microsoft  immediately?’  Beasley  says. 
“We  still  do  the  evaluation  process  and  apply  them  to  our 
environment,  but  only  after  we’ve  had  time  to  make  sure 
the  patch  doesn’t  break  our  Web  servers  or  applications.” 

The  Teros  Gateway  also  has  a  Secure  Sockets  Layer  (SSL) 


acceleration  card  that  offloads  CPU-intensive  encryption 
and  decryption  tasks  from  Baker  Hill’s  Web  servers.  “That 
allows  us  to  run  fewer  Web  servers  than  we  might  otherwise 
require,”  Beasley  says.  Another  benefit  is  that  only  one  SSL 
certificate  is  required,  instead  of  one  for  each  Web  server. 

Unlike  some  of  the  other  Web  application  firewalls 
Beasley  evaluated  before  making  his  selection  nearly  two 
years  ago,  Teros  lets  one  appliance  run  profiles  and  rule 
sets  specific  to  different  Web  applications.  One  rule  forces 
all  visitors  to  start  their  session  at  the  logon  page,  which 
helps  to  reduce  “forceful  browsing,”  in  which  an  intruder 
tries  to  jump  to  various  parts  of  the  site. 

The  fear  with  a  Web  application  firewall  —  or  any 
device  that  automatically  blocks  traffic  —  is  that  it  might 
block  legitimate  traffic.  Baker  Hill  goes  to  great  lengths  to 
prevent  that  scenario,  including  using  the  Teros  device  in 
its  quality  assurance  department  for  testing.lt  also  has  the 
device  installed  at  its  disaster-recovery  site,  where  it  per¬ 
forms  still  further  testing  before  putting  any  new  applica¬ 
tion  into  production. 

The  strategy  is  working  well  enough  that  Baker  Hill  has 
taken  its  IDS  out  of  production.“I  was  sick  of  it  constantly 
crying  wolf,”  Beasley  says.  Another  big  problem  he  had 
with  the  IDS,  similar  to  UNC’s  Brown,  is  that  it  has  trouble 
seeing  all  traffic  on  a  fully  switched  network.You  can  try 
to  do  taps  and  use  mirror  ports  and  on  and  on,  but  in  the 
end, “It  doesn’t  work,”  he  says. 

Pescatore  sees  different  roles  for  IPS  devices  and  Web 
application  firewalls.  The  latter,  from  vendors  including 
Teros,  Sanctum,  NetContinuum  and  Kavado,  are  good  at 
protecting  Web  servers  and  applications,  but  not  so  good 
at  protecting  against  worms  such  as  Blaster  and  Slammer 
that  target  specific  vulnerabilities.  That’s  the  strong  point 
of  IPS  devices  from  vendors  including  TippingPoint, 
Network  Associates  (which  acquired  IntruVert  Networks), 
NetScreen  Technologies,  Check  Point  (InterSpect)  and 
Internet  Security  Systems,  with  its  Proventia  line. 

By  2006,  Pescatore  thinks  the  IPS  function  will  be  incor¬ 
porated  into  next-generation  firewalls. 

See  Attacks,  page  50 
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What  are  you  doing  to  protect  your  most  valuable  assets? 


When  it  comes  to  protecting  their  organizations,  Secure  Computing  customers 
rely  on  our  flagship  security  appliance  which  includes  the  world's  strongest  fire¬ 
wall,  our  strong  user  authentication  products,  and  our  extensive  Web  filtering 
solutions  to  provide  unparalleled  security  and  reliability.  For  over  20  years  we 
have  been  working  closely  with  our  customers  to  provide  innovative  new  features 
that  are  comprehensive,  easy  to  manage,  and  highly  effective  in  securing  valuable 
information  and  connections  between  their  people,  applications,  and  networks. 

Over  11,000  organizations  around  the  globe  can't  be  wrong. 


Firewall/Security  Appliance 

Sidewinder  G2  ”  Security  Appliance 
Sidewinder  G2'“  Enterprise  Manager 

Strong  Authentication 

SafeWord*  RemoteAccess'” 
SafeWord*  Premier  Access'" 
§afeWord*  for  Check  Point 
SafeWord*  for  Citrix*  MetaFrame* 
SafeWord*  for  Nortel  Networks 


To  learn  more  about  Secure  Computing  Corporation,  join  us  for  an  educational  Webcast  entitled 
"The  Experts  Speak:  Evaluating  Application  Security  Architectures"  on  Tuesday,  June  15 
Visit  www.securecomputing.com/webcast  for  more  information  or  call  us  at  1  800  692  5625 
(1+  408  979  6100  worldwide)  or  email  us  at  sales@securecompubng.com. 


Web  Filtering 

SmartFilter* 

Sentian'" 

Bess* 


Securing  the  connections  between  people,  applications,  and  networks' " 
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Attacks 

continued  from  page  48 

The  prevent  defense 

Another  tactic  is  the  use  of  vulnerability  scanners  during 
the  application  development  process  to  catch  problems 
before  they  are  exposed  to  the  world.  Initially,  customers 
bought  products  such  as  SPI  Dynamics’  Weblnspect  and 
Kavado’s  ScanDo  to  scan  production  Web  applications. 
Customers  quickly  realized  that  scanning  applications  dur¬ 
ing  development  would  nip  problems  in  the  bud,  and  ven¬ 
dors  stepped  up  with  interfaces  that  made  their  products 
simple  enough  for  developers  to  use. 

“We  put  out  a  research  note  over  a  year  ago  saying  it’s 
time  for  companies  to  move  vulnerability  testing  up  the 
food  chain,”  Pescatore  says.Tor  the  clients  that  have  gone 
that  way,  it’s  proven  to  be  very  effective.” 

Avolio  agrees,  noting  it’s  easy  to  make  mistakes  when 
writing  code.  A  simple  typo  might  not  prevent  code  from 
compiling  and  running,  but  it  could  create  a  security  vul¬ 
nerability.  An  automatic  scanner  will  likely  catch  it,  where¬ 
as  a  manual  code  review  might  not,  he  says. 

John  Dias  is  certainly  a  believer  in  doing  vulnerability 
testing  early  and  often.The  senior  security  analyst  with  the 
Computer  Incident  Advisory  Capability  (CIAC),  which  pro¬ 
vides  incident  response  for  105  U.S.  Department  of  Energy 
sites,  has  conducted  penetration  tests  since  1989.  As  suc¬ 
cessful  intrusions  on  Web  applications  began  to  creep  up 
about  two  years  ago,  he  started  evaluating  vulnerability-test¬ 
ing  tools. 

Late  last  year,  he  evaluated  KaVaDo’s  ScanDo  and  was 
immediately  sold  because  it  is  effective  at  finding  vulnera¬ 
bilities  and  it’s  simple  to  use.  Previously  only  one  or  two 
staffers  had  enough  security  expertise  to  conduct  penetra¬ 


tion  tests.“Now  we  have  a  way  of  getting  more  people  into 
it  with  a  very  comprehensive  tool,”  Dias  says. 

At  the  same  time,  the  tests  are  much  faster.  A  typical  Web 
application  of  500  pages  might  take  only  a  couple  of  hours 
to  scan,  he  says,  down  from  three  to  four  days  with  the  pre¬ 
vious, manual  process.“We  used  to  do  it  manuallyfilling  out 
spreadsheets  —  1  don’t  know  if  we  ever  really  finished,”  he 
says.“It’s  just  crazy  without  some  form  of  automation.” 

CIAC  is  now  conducting  a  few  tests  per  week.“This  is  the 
first  time  I’ve  done  vulnerability  assessments  where  the 
developers  themselves  are  excited  about  the  findings,”  he 
says.“They  willingly  rewrite  sections  of  code  that  they  were 
iffy  about.” 


The  Yankee  Group  estimates  that  the  market 
for  Web  application  security  products 
and  services  was  $140  million  in  2002 
and  will  grow  to 

$1.74  billion  by  2oo7 

a  compound  annual  growth  rate  of  65%. 


Web  services  provide  significant  motivation  for  Dias’ 
interest  in  ScanDo,  which  can  scan  Simple  Object  Access 
Protocol  formats  and  compare  what  the  Web  service  is 
intended  to  do  with  what  a  human  operator  can  try  to  get 
away  with.  “People  are  starting  to  deploy  Web  services, 
ready  or  not, so  we’re  looking  into  all  the  security  issues  of 
Web  services  crossing  [Department  of  Energy]  sites.” 

London  Bridge  Group,  a  London  developer  of  financial 
services  software  that  also  hosts  applications  for  clients,  is 
using  SPI’s  Weblnspect  to  look  for  vulnerabilities  in  its  Web 
programs.  In  addition  to  validating  whether  its  applications 
are  secure,  the  tool  helps  raise  the  level  of  security  aware¬ 


ness  among  its  developers,  says  Mark  Johnson,  London 
Bridge  chief  security  officer,  who  is  based  in  its  Atlanta  data 
center. 

Developers  run  Weblnspect  after  initially  writing  and  run¬ 
ning  their  code,  then  fix  any  security  problems  before  pass¬ 
ing  the  code  to  quality  assurance  for  functional  testing. 
“They  like  the  idea  that  it’ll  help  them  create  something 
that  they  won’t  have  to  fix  six  months  later  when  we  run 
the  [quality  assurance]  test,”  Johnson  says. 

At  the  same  time,  developers  learn  how  to  write  more 
secure  code  from  the  feedback  that  Weblnspect  gives 
them.  “They  may  do  a  trick  to  pass  IDs  from  one  page  to 
another  that  they  think  is  slick,  but  it  opens  a  cross-site 
scripting  vulnerability’  he  says.  If  Weblnspect  catches  a 
problem  before  it  goes  into  production,  and  the  developer 
learns  the  trick  isn’t  so  slick  after  all,  that’s  good  all  around. 

It  also  makes  good  business  sense  to  catch  security  prob¬ 
lems  early  rather  than  spend  more  money  to  fix  them  later. 
In  some  instances,  it’s  a  business  imperative  to  meet 
requirements  of  new  regulations  such  as  the  Sarbanes- 
Oxley  Act,  which  puts  increased  scrutiny  on  public  com¬ 
panies  —  and  their  vendors. 

Baker  Hill,  for  example,  isn’t  a  public  company  and  thus 
isn’t  technically  subject  to  Sarbanes-Oxley  requirements, 
but  many  of  its  clients  are.  “We  have  to  meet  the  require¬ 
ments  or  we  won’t  get  their  business,”  Beasley  says. 

At  the  same  time,  75%  of  new  clients  are  asking  detailed 
questions  about  how  Baker  Hill  secures  its  Microsoft  Web 
infrastructure,  up  from  about  10%  two  years  ago. 

And  what  of  those  clients  that  opted  not  to  do  business 
because  of  security  concerns?  Says  Beasley, “We  went  back 
to  them  and  got  their  business.” 

Desmond  is  president  of  PDEdit,  a  high-tech  writing  and 
editing  firm  in  Framingham ,  Mass.  He  can  be  reached  at 
paul@pdedit.  com. 


Quick  tips  for  Web  application  security 


■  BY  THOMAS  POWELL,  NETWORK  WORLD  LAB  ALLIANCE 

A  traditional  firewall  is  commonly  employed  to  restrict  Web  site 
access  to  Ports  80  and  443,  used  for  HTTP  and  Secure  Sockets  Layer 
communications,  respectively  However,  such  a  device  does  very  lit¬ 
tle  to  deter  attacks  that  come  over  these  connections.  URL  query 
string  manipulations  including  SQL  injection,  modification  of 
cookie  values,  tampering  of  form  field  data,  malformed  requests 
and  a  variety  of  other  nasty  tricks  are  often  given  free  passage  on 
allowed,  legitimate  traffic. 

A  Web  application  firewall,  such  as  those  reviewed  in  this  issue 
(see  page  54)  might  help  address  security  holes  in  Web  servers  and 
Web  applications,  but  there  is  certainly  a  great  deal  that  network 
security  professional  could  and  should  do  before  and  after  employ¬ 
ing  such  measures. 

So  sharpen  your  pencils:  It’s  time  for  Web  Application  Security 
101. 


Tip  1:  Don’t  trust,  authenticate. 

If  you  are  in  charge  of  designing  or 
administrating  a  public  Web  site, you  need 
to  embrace  the  fact  that  you  cannot  trust 
your  users.  If  you  are  particularly  para¬ 
noid, you  might  extend  this  concept  to  an 
extranet  or  even  an  internal  site.  But  the 
point  is  that  unless  the  users  authenticate 
themselves  with  the  site  somehow,  you 
have  no  idea  who  they  are  and  what  their 
intentions  might  be. 

Not  to  suggest  that  a  hacker  hides 
behind  every  IP  address  accessing  your 
site,  but  can  you  easily  separate  legitimate 
traffic  from  non-legitimate  traffic?  Are 
those  excessive  404  errors  in  your  server 
log  simple  mistakes  or  someone  probing 
your  defenses?  You  should  always  err  on 
the  side  of  caution,  and  the  tips  that  follow 
embrace  this  spirit. 

Tip  2:  Keep  a  low  profile. 

The  first  step  for  a  potential  intruder  is  to 
gather  information  about  your  Web  server 
and  any  hosted  application.  Don’t  expose 
anything  your  end  users  don’t  need  to 
know  and  consider  the  following  simple 
anti-reconnaissance  tactics: 


•  Remove  personal  information  from 
your  WHOIS  records  that  might  be  useful 
in  a  social  engineering  attack  and  employ 
a  role  account  instead. 

•  Make  sure  your  machine  is  not  named 
something  that  indicates  its  operating  sys¬ 
tem  or  version. 

•  Remove  the  server  header  from  your 
Web  server’s  response. 

•  Remap  file  extensions  of  dynamic 
pages,  for  example  .jsp  to  .shtm. 

•  Add  custom  error  pages  that  suppress 
useful  information  about  the  server  or 
associated  development  platform. 

•  Remove  comments,  particularly  those 
that  indicate  implementation  information 
or  the  names  of  site  and  network  person¬ 
nel,  from  HTML,  Cascading  Style  Sheets 
and  particularly  JavaScript  source. 

•  Do  not  expose  sensitive  file  or  direc¬ 
tory  names  in  robots.txt  file. 

You  can  go  deeper  with  anti-reconnais¬ 
sance  by  tweaking  your  network  firewall 
and  server  connection  settings  to  fool 
tools  such  as  NMAP  (www.insecure.org) 
that  will  try  to  identify  your  server  via  its 
TCP  stack  responses.  At  the  HTTP  level, 

See  Tips,  page  52 
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Tips 

continued  from  page  50 

you  might  consider  changing  your  Web 
servers  responses  to  alter  header  order, 
mask  session  cookie  names,  and  remove 
other  items  in  the  response.  A  tool  such  as 
ServerMask  for  Internet  Information 
Systems  (www.servermask.com)  can  help 
you  perform  many  of  these  masking  tricks. 

Obviously,  the  competent  Web  adminis¬ 
trator  does  not  solely  embrace  security  by 
obscurity.  True  protection  is  required. 
However,  inviting  attack  to  test  your  site’s 
“armor”  is  foolish;  the  aim  is  only  to  keep 
potential  attackers  from  easily  sizing  up 
defenses  and  attacking  more  successfully 
by  giving  the  site  and  server  the  equivalent 
of  camouflage. 

Tip  3:  Use  misdirection  and  misin¬ 
formation  beyond  reducing  informa¬ 
tion  exposure. 

You  should  consider  using  misinforma¬ 
tion  and  misdirection  in  what  you  do 
reveal.  Looking  like  another  type  of  server, 
pretending  to  use  a  different  technology  or 
giving  contradictory  information  can  trip 
an  attacker  into  making  the  wrong  types  of 
attacks  and  clearly  signaling  his  intention. 
For  example, you  might  add  fake  “off-  limits" 
directories  or  file  names  in  a  site’s 
robots.txt,  comments  or  error  pages  so  that 
users  or  tools  with  bad  intent  reveal  them¬ 
selves  for  monitoring  or  blocking.  Other 
examples  of  misdirection  include: 

•  Randomized  network  and  HTTP  server 
signatures  found  in  the  response  packets. 

•  False  administrator  names  in  page  com¬ 
ments  or  network  records  that  are  known 
internally  when  used  to  be  indicative  of  a 
social  engineering  attack  in  progress. 

•  Decoy  servers  or  honeypots  (www. 
honeypots.org)  to  confuse  intruders. 

•  Send  varying  error  responses  or  make 
your  site  “play  dead”  by  sending  obvious 
intruder  “500  Server  Error”  responses  for  all 
their  requests. 

There  is  a  great  deal  of  room  to  expand 
on  the  idea  of  misdirection.  Creating  a  for¬ 
est  of  decoy  devices  and  sites  that  rotate 
their  signatures  could  make  finding  your 
site  a  great  pain  for  a  potential  intruder.  A 
service  such  as  Netbait  (www.netbaitinc. 
com)  suggest  such  thinking  is  not  so  wild. 

Yet  be  careful  —  camouflage  will  not  pro¬ 
tect  problems,  and  misdirection  might 
anger  an  enemy  inviting  attack.  In  many 
cases  the  tactics  will  be  useless  against  the 
“stupid”  attack  from  a  robot,  worm  or  script 
kiddies  following  a  canned  script.  These 
folks  don’t  care  what  they  are  hitting  and 
hit  Apache  boxes  with  IIS  attacks  and  vice 
versa,  so  make  sure  you  can  handle  what 
they  throw  at  you. 

Tip  4:  Forcefully  deny  bad  requests. 

A  user's  request  just  might  not  be  safe  to 
execute.  Simple  attacks  focus  on  trying  to 
modify  the  HTTP  request  to  cause  some¬ 
thing  bad  to  happen.You  can  use  an  appli¬ 


cation  firewall  or  server  filter  to  eliminate 
bad  HTTP  requests  such  as  very  long  URIs, 
funny  characters,  unsupported  methods 
and  headers,  and  any  other  obviously  mal¬ 
formed  requests. 

You  should  be  aware  of  the  types  of  data 
and  programs  in  your  site.  If  you  know  what 
is  allowed,  anything  else  should  be  disal¬ 
lowed  —  the  so-called  positive  model.  For 
example,  requests  for  Active  Server  Pages 
files  in  a  site  built  in  PHP  are  problematic. 
Make  sure  to  purge  all  unused  files,  partic¬ 
ularly  backup  files  (.bak).  Turn  off  your 
server’s  directory  browsing  option.  And 


remove  any  unused  extensions  from  your 
server’s  configuration. 

Tip  5:  Sanitize  user  requests  and 
inputs 

More  dangerous  attacks  focus  on  modify¬ 
ing  inputs  to  a  Web  application.  Because 
the  user  can  bypass  any  client-side  restric¬ 
tions  of  input  size  or  types,  you  must  care¬ 
fully  check  all  inputs  regardless  of  whether 
they  happen  via  a  URL  query  string  or  a 
form  post.  Be  particularly  careful  to  remove 
any  JavaScript  submitted  via  a  form  that 
might  post  back  to  a  Web  page  such  as  a 
message  forum, as  it  might  result  in  a  cross¬ 
side  scripting  attack. 

Hidden  form  fields  and  cookies  also  serve 
as  inputs  that  you  should  be  careful  to  mon¬ 
itor.  Avoid  putting  sensitive  data  in, and  con¬ 
sider  adding  a  checksum  to  verify  they  have 


not  been  tampered  with.  Be  particularly 
careful  in  the  case  of  session  cookies.  If  the 
form  is  too  predictable,  your  application 
might  be  open  to  a  cookie  hijacking  attack. 

When  application  flow  is  important, make 
sure  you  check  referring  URLs  and  deny 
any  page  requests  out  of  sequence.  To  sig¬ 
nal  problems, you  can  add  extra,  encrypted 
cookie  information  to  indicate  entry  point 
and  last  page  visited. 

Tip  6:  Monitor  and  test  continuously. 

If  you  are  examining  logs  only  when 
things  go  wrong,  you  aren’t  doing  enough. 


Many  times  it’s  already  too  late  and  logs 
provide  only  forensics  to  help  you  try  to 
reconstruct  the  crime  or  help  patch  the 
hole.  Fortunately  spotting  a  problem  more 
quickly  isn’t  hard  because  application 
attacks  are  clearly  recorded  in  your  server 
access  log,  and  unless  the  compromise 
gives  the  attacker  server-level  access,  they 
won’t  be  able  to  cover  their  tracks  easily. 
However,  as  a  precaution,  you  might  con¬ 
sider  multiple  logging  hosts  and  using  on 
and  off  network  monitoring  of  your  site 
and  applications. 

While  application  attacks  are  often  more 
difficult  than  network  intrusions  for  an 
intruder  to  cover  up,  sorting  the  bad 
requests  from  the  good  can  be  hard.To  nar¬ 
row  a  log  down,  try  filtering  on  unknown 
user  agents,  unresolvable  IP  addresses  and 
very  fast  requests  from  one  source.  Pay 


attention  to  your  server’s  error  log  and  look 
at  404  requests:  They  are  often  not  simple 
mistakes  but  failed  exploits  or  probes. 

Make  sure  you  test  your  site  using  the  var¬ 
ious  vulnerability  tools  such  as  NStealth 
(www.nstalker.com)  to  find  and  plug  obvi¬ 
ous  holes,  but  embrace  the  fact  that  “zero- 
day”  attacks  will  continue  and  an  as  of  yet 
indefensible  attack  might  occur. 

Tip  7:  Prepare  for  the  worst 

Despite  your  best  efforts,  someone  might 
compromise  your  Web  server  or  appli¬ 
cation.  Rather  than  ignoring  that  possibility 
you  should  come  up  with  a  plan  to  address 
a  variety  of  compromises,  including: 

•  Server  compromise. 

•  Site  defacement. 

•  Application-level  denial  of  service 
(DoS). 

•  Sensitive  data  exposure. 

In  the  case  of  server  compromise,  rolling 
back  to  a  former  state,  going  off-line  and  try¬ 
ing  to  plug  holes  are  really  your  only 
choices.  Similarly,  when  faced  with  site 
defacement  you  want  to  be  able  to  roll 
back  the  site  quickly  or  put  a  standby  page 
in  place.  Dealing  with  defacement  isn’t 
hard,  but  how  can  you  detect  it  rapidly?  A 
blatant  home  page  modification  by  an 
intruder  is  obvious,  but  without  page 
checksums  detecting  minor  data  modifica¬ 
tions  might  be  difficult.  Imagine  the  dam¬ 
age  done  by  the  alteration  of  a  financial 
press  release  on  a  corporate  site? 

DoS  at  the  network  level  is  a  known 
attack  and  can  be  dealt  with  by  many 
devices,  but  application-level  DoS  is  more 
difficult  to  deal  with.  With  the  potential  for 
a  robot  attack  using  apparently  legitimate 
HTTP  traffic  from  open  proxies  all  over  the 
Internet,  it  might  be  very  difficult  to  deter¬ 
mine  the  good  users  from  the  bad.  Work 
still  needs  to  be  done  in  this  area,  but 
actively  monitoring  site  traffic  is  an  impor¬ 
tant  first  step. 

Sensitive  data  exposure — such  as  the  rev¬ 
elation  of  customer  data  including  credit 
card  numbers,  for  example  —  can  be  diffi¬ 
cult  to  catch.  Security  software  and  devices 
such  as  the  Teros  offering  (see  story  page 
47)  can  monitor  pages  for  sensitive  data  pat¬ 
terns  and  block  the  data  from  being 
revealed.  However, active  monitoring  is  real¬ 
ly  the  best  bet  because  what  is  sensitive 
might  not  always  be  as  obvious  as  a  Social 
Security  or  credit  card  number. 

Tip  8:  Gross  the  developer-adminis¬ 
trator  chasm. 

The  greatest  challenge  in  Web  applica¬ 
tion  security  is  that  often  the  person  who 
has  built  the  application  is  not  in  charge  of 
securing  the  application.  Without  intimate 
knowledge  of  the  workings  of  a  Web  site,  it 
might  be  difficult  for  an  administrator  to 
secure  it  adequately.  On  the  flip  side,  devel¬ 
opers  are  likely  unaware  of  the  types  of 
attacks  that  occur  and,  therefore,  don’t 
write  their  code  to  address  them.  Getting 
the  two  groups  together  to  share  knowl¬ 
edge  is  truly  the  ultimate  weapon  against 
Web  application  security  problems.  ■ 
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Tip  1 :  Don’t  trust  your  users. 

Make  them  authenticate. 


Tip  3:  Use  misdirection  and  mis¬ 
information.  Having  your 
server  look  like  another  type 
of  server  running  a  different 
operating  system  can  trip  an 
attacker  into  making  the 
wrong  type  of  attack  or  re¬ 
veal  his  malintent. 


Tip  4:  Forcefully  deny 
bad  requests.  Know 
what  types  of  data 
inputs  are  allowed  on 
your  site  and  disal¬ 
low  everything  else. 


Tip  7:  Prepare  for  the  worst  Have  a 
plan  if  you  should  get  a  server  com¬ 
promised,  have  the 
site  defaced,  get 
hit  with  a  denial-of- 
service  attack  or 
have  your  sensitive 
data  exposed. 


Tip  2:  Keep  a  low  profile. 

Don't  expose  legitimate 
information  and  use  mis¬ 
information  or  misdirec¬ 
tion  to  weaken  targets. 
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Tip  5:  Sanitize  user 
requests  and  inputs. 

Check  all  inputs 
regardless  of 
whether  they  hap¬ 
pen  via  a  URL  or 
a  form  post. 


Tip  6:  Monitor  and  test  continually. 

Don't  just  wait  for  the  logs  to 
tell  you  something  has  already 
happened.  Be  pre-emptive. 
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Tip  8:  Cross  the  developer/admin  chasm. 

Make  the  staff  members  who  built  the 
application  and  those  charged  with 
securing  it  communicate  regularly. 
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Application  firewall  appliances: 

Defending  servers  from  HTTP-based  attacks 


■  BY  THOMAS  POWELL,  NETWORK  WORLD  LAB  ALLIANCE 


To  keep  tabs  on  the  emerging  Web  application  firewall  market,  we  recently  reviewed 
two  of  the  appliance-oriented  offerings  in  this  market  —  Teros  Secure  Application 
Gateway  100SSL  Version  3.1  and  MagniFire  WebSystems  TrafficShield  Version  2.5. 

While  other  vendors,  including  Imperva,  NetContinuum  and  Whale  Communications, 
were  invited  to  participate,  all  declined  for  various  reasons.  We  tested  software-based 
offerings  —  such  as  those  Kavado  and  Sanctum  offer  —  last  summer  (see  www.nw 
fusion.com,  DocFinder:  2028). 

It  is  clear  after  this  —  our  second  —  round  of  Web  application  firewall  testing  that  these 
products  are  becoming  more  capable  of  addressing  application-level  exploits.  However, 
the  rough  edges  of  these  products  means  it  will  take  significant  time  and  effort  by  admin¬ 
istrators  and  Web  developers  to  deploy  a  reasonable  security  policy  using  them. 


Teros  100  applies  a  nice  blend  of  positive  and  nega¬ 
tive  firewall  model  features  that  should  be  capable  of 
protecting  all  but  the  most  sensitive  applications.  On 
top  of  its  solid  security  offering,  features  that  address 
performance  and  content  safety  make  Teros  100  the 
Network  World  Clear  Choice  winner. 

Initial  configuration  is  easy  and  involves  setting  a  few 
network  values  via  a  command-line  interface.Teros  100 
primarily  presents  two  interface  ports  —  a  WAN  one  to 
the  unprotected  network  and  a  LAN  one  to  the  pro¬ 
tected  Web  farm(s)  —  but  adds  a  third  port  through 
which  you  can  set  up  a  defined  management  console 


network.  All  defined  networks  run  off  of  10/100  bit/sec 
Ethernet  ports. 

While  it  would  be  possible  to  set  up  a  similar  config¬ 
uration  on  the  MagniFire  product,  we  found  the  more 
explicit  approach  an  encouraging  step  to  securing  the 
unit  itself.  Access  to  the  Web  console  is  conducted  via 
a  Secure  Sockets  Layer  (SSL)  encrypted  browser  ses¬ 
sion,  but  the  device  does  not  promote  strong  pass¬ 
words,  limiting  the  user  to  eight  characters.  The  unit 
does  have  an  increasing  wait  time  on  failed  attempts, 
but  console  security  certainly  could  be  improved. 

Further  configuration  is  performed  via  a  highly  pol- 
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The  Teros  100  offers  solid  security,  performance-enhancing 
and  content  safety  features. 


ished  Web-based  interface.  However,  that  is  not  to  say  it  is 
without  annoyances.  For  example,  the  system’s  fixed  win¬ 
dow  size  presented  a  professional-looking  interface,  but 
rendered  the  logging  interface  somewhat  useless  as  full 
request  path  entries  were  often  clipped.The  data  is  avail¬ 
able, but  you  are  required  to  export  the  log. We  also  found 
intermittent  selection  and  refresh  problems,  particularly 
when  we  accessed  the  interface  via  terminal  services 
and  KVM  setups.  Annoyances  aside,  we  found  the  inter¬ 
face  generally  was  well  executed,  and  context-sensitive 
help  screens  were  readily  available  if  needed. 

It’s  important  to  point  out  that  the  product  firmly 
embraces  varied  roles  and  management  levels.  We 
found  that  the  division  between  a  device  administrator 
and  an  application  administrator  clearly  indicates 
Teros’  understanding  of  the  typical  communication  gap 
between  Web  developers  and  network  administrators. 
Even  the  documentation  was  split  out  into  different 
books  to  present  details  relevant  to  each  audience  indi¬ 
vidually  This  approach  to  management  makes  Teros  ide¬ 
ally  suited  for  a  multisite  hosted  environments  or  large- 
scale  corporation  with  multiple  sites  and  owners. 

Using  the  Web  interface,  we  found  defining  protect 
applications  to  be  very  easy,  but  it  was  somewhat  awk¬ 
ward  to  address  sites  with  multiple  domain  aliases. 
Given  the  common  practice  of  setting  many  domains 
for  the  same  public  facing  site,  we  felt  this  aspect  of  the 
interface  could  be  reworked. 

Setting  the  rules 

Once  a  Web  application  is  defined, Teros  100  should 
be  put  into  a  learning  mode  to  monitor  user  activity 
and  infer  an  appropriate  rule  set.  While  the  traffic- 
based  learning  approach  lets  the  product  quickly 
understand  JavaScript  client-side  interactions  and  data 
types  sent  via  forms  easily,  the  downside  is  suggested 
rules  might  be  related  to  user  error  or  even  hack 
attempt.  Tolerance  levels  defined  in  the  device  for 
observed  activity  help  keep  the  system  from  suggesting 
too  many  incorrect  rules,  but  it  isn’t  perfect. 

Administrators  cannot  assume  that  all  suggested 
rules  are  valid  or  that  observed  site  traffic  will  cover  the 
whole  application.  It  is  appropriate  to  observe  usage 
over  time  and  study  the  Web  application  carefully  to 
develop  a  quality  security  policy 

Once  it  was  set  up  completely  and  had  time  to  estab¬ 
lish  an  adequate  rule  set,  we  found  that  the  device  was 
capable  of  detecting  and  blocking  all  the  common 

See  Firewall,  page  56 
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Company:  Teros,  www.teros.com.  Cost:  Starting  at 
$25,000.  Pros:  Nice  blend  of  positive  and  negative  security 
models;  breach  mitigation  features;  HTTP  acceleration. 
Cons:  User  interface  problems;  policy  generation 
approach  could  be  improved. 


Company:  MagniFire  WebSystems, 
www.magnifire.com.  Cost:  Starting  at  $25,000 
Pros:  Strict  positive  model  security  settings;  Crawler- 
based  policy  settings.  Cons:  Lacked  added  features 
such  as  breach  mitigation,  anti-reconnaissance,  perfor¬ 
mance  features;  user  interface  and  documentation. 


The  breakdown 


Security  features  45% 
Policy  generation  20% 
Administration  20% 
Performance  10% 
Documentation  5% 


Teros  Secure  Application  Gateway  100 
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MagniFire  TrafficShield 
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TOTAL  SCORE  4.3 
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Make  the  Decision  Today 
That  Will  Be  the  Right 
Decision  Tomorrow 


Introducing  the  3Com ®  Router  3000  and  5000 
Families  for  small  and  medium  enterprises 


In  these  days  of  slashed  IT  budgets  and  reduced  headcount,  you 
don't  get  a  second  chance  to  make  the  right  network  decisions. 
A  router  choice  that  makes  sense  now  won't  make  sense  when 
extra  money  and  manpower  are  needed  for  upgrades  when  your 
enterprise's  needs  grow.  Fortunately,  3Com  eliminates  router 
guesswork. 

No  other  router  in  this  class  can  beat  the  number  of  software 
features  and  amount  of  memory  shipped  standard  with  the 
3Com  Router  3000  and  3000  families.  They  integrate  seamlessly 
into  existing  networks,  include  full  VPN  and  security  support, 
and  won't  need  any  costly  upgrades  down  the  road. 


3Com  Router 
3000  Family 


3Com  Router 
5000  Family 


The  company  that  invented  Ethernet  is  now  the  single  point  of 
contact  for  complete  end-to-end  network  solutions.  Trade  up 
now  to  get  a  15%  rebate.  Visit  www.3com.com/WAN11 
to  learn  more  about  3Com  routers  and  the  trade  up  program. 


3Com 

Possible  made  practical" 


*  Restrictions:  Sweepstakes  is  open  to  employees  of  end  user  companies  in  the  United  States  (excluding  Puerto  Rico).  No  Purchase  Necessary.  Purchase  Will  Not  Increase  Chances  Of 
Winning.  Prize  valued  at  $5,000  (USD).  Odds  of  winning  depend  on  number  of  entries.  Subject  to  Official  Rules  For  rules  and  entry  details  visit  www  3com  com/shop  Ends  5/3 1/04. 
Void  where  prohibited.  This  promotion  may  be  altered  or  canceled  at  any  time 

Copyright  ©  2004  3Com  Corporation  All  rights  reserved  3Com  and  the  3Com  logo  are  registered  trademarks  of  3Com  Corporation.  All  other  product  names  may  be  trademarks  - 
registered  trademarks  of  their  respective  companies.  network  world  05/04 
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attacks  including  forceful  browsing,  SQL 
injection,  form-field  tampering,  cookie 
tampering  and  cross-site  scripting. 

In  addition  to  the  positive  firewall  model, 
Teros  100  also  features  a  blacklist  of  com¬ 
mon  attack  signatures  to  immediately 
address  common  server  attacks.  The  blend 
of  these  two  approaches  is  a  nice  one,  but 
there  is  a  little  room  for  trouble  in  areas 
such  as  buffer  overflow  attacks  via  headers, 
and  URLs  were  lengths  were  somewhat  larg¬ 
er  than  expected  (such  as  Error  Message 
4096).  However,  these  values  are  easily  tun¬ 
able  by  a  less-trusting  administrator. 

During  testing  we  encountered  one  sig¬ 
nificant  configuration  headache.  When 
protecting  a  Microsoft  Internet  Information 
Server-based  site  using  SSL,  importing  the 
certificate  information  was  awkward 
because  IIS  does  not  use  the  .PEM  format 
by  default, which  is  common  to  OpenSSL.lt 
would  be  nice  to  see  some  help  here  for 
Windows  administrators  with  either  a  utili¬ 
ty  or  some  documentation  to  address  this. 
The  MagniFire  offering  shared  this 
headache, and  it  is  likely  to  be  common  for 
any  Linux-based  security  appliance  trying 
to  protect  a  Windows  environment. 

A  particular  positive  aspect  of  the  Teros 
offering  is  that  it  addresses  the  unthink¬ 
able  —  site  or  application  breach.  A  vari¬ 
ety  of  features  are  included  to  help  miti¬ 
gate  the  fallout  from  potential  intrusions 
or  site  errors.  To  thwart  site  defacement, 
the  device  can  checksum  static  pages  and 
not  deliver  them  if  modified.  We  felt  it 
would  be  better  if  the  device  hosted  a 
standby  page  rather  than  not  responding, 
but  the  feature,  though  incomplete,  was 
still  a  welcome  one. 

The  Teros  device  also  lets  you  filter 
pages  for  specific  words.  For  example,  you 
might  wish  to  define  curse  words  as  “stop” 
words  and  define  a  common  legal  state¬ 
ment  that  must  be  included  in  all  legiti- 


Web  application  security 


mate  pages  as  a  “go”  word. 

Teros  also  offers  some  built-in  filters  to 
protect  against  information.  And  the 
device  can  detect  for  common  data  for¬ 
mats  such  as  credit  card  numbers  or 
Social  Security  numbers.  In  practice,  we 
found  a  few  glitches  in  this  feature.  Under 
the  permissive  settings  we  established  at 
one  point,  the  firewall  aggressively 
matched  numeric  sequences  looking  like 
Social  Security  numbers  that  occurred  in 
headers.  This  match  caused  Teros  100  to 
block  all  subsequent  requests  to  the  site 
because  it  mangled  the  cookie  it  used  for 
integrity  checking.  Certainly  an  oversight 
that  needs  to  be  corrected,  but  despite  the 
rough  edges,  when  used  properly  output 
blocking  was  an  appropriate  feature. 

Also  unique  to  the  Teros  100  are  acceler¬ 
ation  features  including  HTTP  encoding 
using  gzip,  SSL  acceleration  and  connec¬ 
tion  offloading.  Given  that  application 
security  checks  will  add  some  overhead  to 
site  response  times,  it  was  nice  to  see  some 
efforts  to  mitigate  the  issue.  Mixing  security 
and  performance  features  in  an  appliance 
form  factor  follows  the  trend  of  generaliz¬ 
ing  the  duties  of  the  front-end  devices  to 
Web  farms  being  promoted  by  vendors 
such  as  NetScaler  and  Redline  Networks. 

MagniFire  can  burn  potential  app 
hackers 

The  MagniFire  TrafficShield 
is  also  a  Linux- 
based  appliance 
that  takes  a  different 
approach  to  policy 
generation  and 
maintenance  than  MagniFire’s 

the  Teros  offering.  TrafficShield  is 

While  the  strict,  pos-  Linux-based, 

itive  model 

MagniFire  promotes  would  suggest  even 
tighter  application  security,  we  found  it 
lacks  polish  and  that  its  implementation 
could  be  stronger. 

Getting  started  with  the  TrafficShield  is 
straightforward. You  follow  a  simple  script 
to  define  the  basic  network  configuration. 


How  We  Did  It 


We  tested  the  security  appliances  using  three  primary  sites  hosted  on 

stock  installations  of  Windows  2000  and  Windows  2003  —  a  base  site  with 
simple  static  content  and  minimal  interactivity  for  protocol  testing,  a  cor¬ 
porate  site  with  some  dynamic  database  features  and  a  content  management 
system  susceptible  to  application  attacks  written  in  Active  Server  Pages,  and  a 
complex  intranet/extranet  application  written  ASP.NET.  Limited  testing  also  was 
performed  with  a  vendor-provided  PHP  application. 

We  carefully  monitored  the  HTTP  interactions  using  browser  proxy  tools  such 
as  Achilles  and  Fiddler  and  other  network  utilities  such  as  SamSpade. 
Reconnaissance  and  exploit-detection  tools  such  as  NMAP,  HTTPrint,  and  N- 
Stealth  Security  scanner  were  used  to  probe  the  appliance  and,  where  possible, 
via  HTTP  the  back-end  servers.  Load  testing  was  performed  using  freely  available 
load-generation  offerings  including  Microsoft’s  Web  Application  Stress  Tool. 
Multiple  browsers,  such  as  Internet  Explorer,  Firebird  and  Safari,  were  used  during 
testing. 

We  encountered  occasional  problems  with  Safari,  particularly  when  running  an 
exploit,  Because  these  results  could  not  be  attributed  solely  to  the  tested  devices 
and  might  have  been  related  to  the  browser’s  handling  of  chunked  HTTP  respons¬ 
es  of  HTTP  encoded  response,  we  did  not  factor  this  into  the  findings.  We  encour¬ 
age  any  readers  looking  to  evaluate  HTTP  terminating  devices,  such  as  applica¬ 
tion  firewalls,  acceleration  appliances  and  reverse-proxy  caches,  to  carefully  eval¬ 
uate  them  against  their  browser  population. 


More  detailed  configuring  is  performed 
via  a  Web  interface,  which  we  found  to  be 
simpler  and  more 
approachable 
than 
that 
of  the 
Teros 
100,  but 
it  is  not  as 
well  imple- 

rmented.  During 
testing,  consistent 
user  errors  occurred 
because  of  simple  prob¬ 
lems  such  as  having  similarly 
labeled  “update”  buttons  next  to  each 
other.  Some  pages  were  not  well  orga¬ 
nized,  and  others  were  very  clumsy  We 
could  not  turn  to  the  help  system  for  assis¬ 
tance,  as  it  was  not  functional  in  the  unit 
we  tested.  The  company  promised  these 
interface  glitches  would  be  fixed  in  a 


forthcoming  release  slated  for  late  June. 

A  differentiating  aspect  of  management 
vs.  the  Teros  offering  is  that  the  MagniFire 
lacks  role-based  administrative  access  to 
the  unit  or  its  associated  sites. This  feature 
would  be  sorely  missed  in  a  hosted  envi¬ 
ronment  or  a  large-scale  enterprise 
deployment.  The  company  says  this  also 
will  be  addressed  in  its  new  release. 

Like  the  Teros  100,  the  console  security 
could  stand  some  improvement.  The 
MagniFire  device  does  not  limit  password 
length  and  appears  to  have  no  counter¬ 
measures  against  excessive  password 
guessing. 

Once  familiar  with  the  device, you  set  up 
a  base  security  policy  using  a  built-in 
crawler,  rather  than  immediately  monitor¬ 
ing  user  traffic.  The  crawler  is  very  able, 
considering  the  difficulties  that  can  be 
encountered  when  crawling  a  complex 
site  using  JavaScript,  frames  and  the  like. 

„  See  Firewall,  page  58 


Please  secure  your  security  device 


Time  and  again,  it  seems  securi¬ 
ty  products  don't  address  their 
own  security  as  well  as  they 
could.  While  shipping  a  unit  with 
admin/admin  style  access  is  a  nec¬ 
essary  fact  of  life,  promoting  a 
loose  security  stance  in  the  admin¬ 
istration  of  a  device  is  unforgivable. 
Thomas  Powell  Vendors  of  security-oriented  prod¬ 
ucts  need  to  embrace  the  fact  the  hacking  far  too  often 
comes  from  within  the  circle  of  trust. 

An  example  of  an  overly  trusting  security  stance 
was  noted  dunng  this  test  when  we  found  that  neither 
of  the  devices  we  tested  enforced  strong  passwords, 
ag  ng  or  many  other  reasonable  security  features  for 
••  •  administration  facilities.  If  these  devices  are  to 
he  iru.-ted  to  terminate  the  outside  HTTP  connections 


to  keep  hackers  from  the  end  Web  servers,  they  might 
become  attack  candidates. 

Obviously,  they  also  might  be  open  to  compromise  if  they 
are  poorly  designed  and/or  administrated.  Hardened 
shells  are  helpful,  but  neither  vendors  nor  users  should 
assume  it  is  impossible  to  access  the  underlying  system. 
When  “magic  key"  line  options  exist  to  get  at  extra  or 
undocumented  features,  it’s  a  foreseeable  next  step  that 
backdoor  entrance  for  device  upgrade  or  maintenance 
also  might  be  available.  What's  going  to  happen  if  applica¬ 
tion  firewall  implementation  exploits  and  command  refer¬ 
ences  are  published  out  in  the  open? 

As  intruders  inevitably  turn  to  attack  application  fire¬ 
walls,  we  need  to  take  advantage  of  their  lack  of  famil¬ 
iarly  with  these  products  to  lock  down  and  camouflage 
these  devices.  Simple  reconnaissance  countermeasures 
—  like  server  header  modification  —  might  partially  dis¬ 


guise  the  back-end  server.  But  that  just  isn't  enough,  par¬ 
ticularly  given  the  devices  themselves  provide  obvious 
tell-tale  signatures  in  HTTP  responses,  cookie  names 
and  error  pages.  If  the  operating  system  version  of  the 
appliance  is  easily  found  using  NMAP  you've  got  to  start 
worrying. 

Of  course  we  don’t  need  NMAP  to  tell  us  that  many 
Web  appliances  are  just  modified  Linux  systems  often 
administered  by  PHP-based  Web  consoles.  We  probably 
could  guess  that  but  let’s  not  make  the  belief  that  the 
device  can  be  hacked  any  more  tempting.  While  I  think 
most  application  firewalls  have  far  better  security  than  a 
typical  origin  Web  server,  ironically  these  devices  could 
stand  improvement  in  their  own  security  practices,  and 
administrators  should  always  remember  to  secure  their 
own  security  devices. 

—  Thomas  Powell 
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enterasys 

Networks  that  Know 


These  days,  no  network  is  free  of  threats.  That’s  why  you  have  to  assign  network  security  privileges  to  everyone.  Employees,  customers, 
and  partners.  You  need  to  set  an  acceptable  use  policy  that  dictates  what  each  of  them  can  and  can’t  access.  Until  now,  you  had  to  do 

this  manually. 

Not  anymore.  Now  you  can  do  what  Baylor  University  did.  Implement  an  Enterasys  Secure  Networks™  solution  with  a  unique,  policy- 
based  system  that  empowers  the  network  to  allocate  resources  based  on  specific  users  and  their  roles.  The  network  “sees”  who  the  user 
is  and  assigns  privileges  accordingly.  This  improved  control  also  gives  you  more  security. 

It’s  all  about  giving  you  a  smarter  way  to  network  with  central,  intuitive  management.  Find  out  more  at  networksthatknow.com/Baylor. 
Or  ask  any  one  of  the  many  enterprise  customers  we’ve  worked  with  for  years. 
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However,  we  found  the  crawler  could  be 


Web  application  security 


fooled  by  some  types  of  JavaScript  usage, 
including  code  that  is  similar  to  what  might 
be  used  in  a  Dynamic-HTML-based  naviga¬ 
tion  system.  Fortunately  to  address  such 
possibilities  you  can  add  entry  points  and 
adjust  the  crawler  settings. 


Digital  Document  Security 
and  IT:  Everything  you 
need  to  know. 

Q#  What  are  the  most  significant  digital  copier 
•  security  issues? 

A#  Various  copier  print  controllers  are  actually  servers 
•  that  queue  and  permanently  store  multiple 
document  files,  providing  administrator  access  to  the 
documents.  At  a  minimum,  most  digital  copiers  retain  the 
last  document  processed;  some  even  retain  multiple 
documents  totaling  hundreds  of  pages.  Others  redirect 
print  jobs  when  the  printer  is  busy  or  jammed,  making 
“denial  of  service"  attacks  possible. 

*  How  does  Sharp  protect  the  network  interface? 

A#  The  Sharp  Ethernet  card  allows  administrators  to 
•  restrict  access  and  disable  unnecessary  protocols. 
With  this  network  card,  the  Sharp  digital  copier  is 
essentially  protected  by  its  own  firewall. 

Q#  How  can  you  be  sure  that  security  products 
•  actually  perform  as  claimed? 

A#  The  Common  Criteria  program — administered  by 
•  the  U.S.  National  Security  Agency  and  the  National 
Institute  of  Standards  and  Technology — evaluates 
security  solutions.  Products  that  are  validated  under  the 
program  meet  security  levels  consistent  with  ISO  15408 
methodology. 

Q  *  How  can  Sharp  improve  IT  security? 

A#  Sharp  offers  print  privacy  solutions  designed  to 
•  restrict  unauthorized  personnel  from  seeing 
confidential  materials.  Copier  access  can  be  controlled 
and  monitored,  while  documents  retained  in 
printer/copier/scanner/fax  memory  are  immediately 
cleared  to  eliminate  unauthorized  access. 

sharpusa.com 


•  be  sharp 

J2004  Sharp  Electronics  Corporation. 


After  the  initial  policy  is  built,  you  can 
accept  the  generated  rules  right  away  and 
begin  blocking,  but  it  would  be  better  to  let 
the  device  monitor  actual  traffic  and  learn 
any  extra  rules  necessary  Regardless  of 
being  crawler-  or  usage-generated,  adding 
rules  was  easyAnd  it  was  sometimes  easier 
to  understand  MagniFire’s  suggestions  as 
compared  with  Teros’  regular  expression- 
based  system. 


Like  Teros  100,  TrafficShield  identified 
forceful  browsing,  data  tampering  and 
other  common  exploits.  However,  we  noted 
that  the  MagniFire  approach  emphasizes 
very  tight  security  policies.  Cookie  lengths 
and  request  lengths  are  controlled  down  to 
the  exact  length.  Unlike  Teros  100,  where  set 
limits  were  defined  on  certain  aspects  of 
site  usage,  TrafficShield  leaves  little  wiggle 
room  for  bad  data.  The  only  downside  of 
this  tight  approach  is  that  it  makes  main¬ 
taining  the  policy  arduous. 

During  penetration  testing,  we  found 
Teros’  approach  to  field  monitoring  to  be 
superior  overall,  but  MagniFire  was  more 
adept  with  flow  and  entry  point  manage¬ 
ment.  We  particularly  liked  the  ability  to 
visualize  the  flows  in  the  site. 

MagniFire  could  improve  how  it  monitors 
protected  applications.  Because 
TrafficShield  does  not  break  out  site  appli¬ 
cations  within  its  logging  system,  it  was  dif¬ 
ficult  to  see  what  was  going  on  at  times.  We 
also  found  the  detailed  messages  in  the 
logs  to  be  generic  at  times,  and  single 
requests  showed  multiple  errors,  making  it 
difficult  to  understand  which  was  the  pri¬ 
mary  trigger.  Even  in  our  static  Web  page 
testing,  we  saw  befuddling  warnings  mes¬ 
sages,  suggesting  that  too  tight  of  a  security 
policy  might  result  in  false  positives. 

As  with  Teros  100,  there  were  many  items 
we  wished  we  had  control  over,  including 
things  such  as  custom  HTTP  method 
allow/disallow,  which  would  be  required  in 
complex  WebDAV-oriented  sites.  Simple 
anti-reconnaissance  features  such  as 
changing  the  server  response  headers  were 
not  readily  available  but  have  to  be 
accessed  via  an  undocumented  switch. 
Error  pages  also  need  to  be  more  flexi¬ 
ble.  We  even  were  required  to  upload  the 
error  page  to  the  device  and  perform  a 


restart  to  make  it  take  effect. 

In  other  cases,  TrafficShield  was  over  the 
top  in  terms  of  granularity.  The  system 
embraced  detailed  control  over  character 
usage  in  URLs  and  form  inputs,  complete 
with  pull-downs  for  every  single  ASCII  char¬ 
acter.  While  character  set  attacks  are  possi¬ 
ble,  the  approach  seemed  overkill,  save  to 
zealous  administrators  who  ,  for  example, 
wants  to  filter  against  the  use  of  the  letter 


“D”  in  the  site. 

TrafficShield  provides  a  powerful  positive 
security  model,  and  in  the  hands  of  a  com¬ 
petent  administrator  a  very  strict  security 
posture  could  be  defined  and  enforced. 
However,  it  could  be  improved  with  more 
features  including  breach  mitigation, accel¬ 
eration  and  improved  device  security 

Powell  (tpowell@pint.com)  is  the  founder 
of  PINT,  a  San  Diego  Web  development  and 
consulting  firm.  He  is  also  the  author  of 
numerous  books  on  Web  development  prac¬ 
tices,  including  JavaScript:  The  Complete 
Reference  and  Web  Design:  The  Complete 
Reference. 


■  PROFILE: 

MAGNIFIRE  WEBSYSTEMS 

TEROS 

Location: 

HQ  in  New  York;  R&D  inTel  Aviv 

Santa  Clara 

Founded: 

2002 

2000 

First  product 
released: 

September  2003 

June  2002 

Financing: 

Jerusalem  Venture  Partners, 
Lucent  Venture  Partners 

Institutional  Venture  Partners, 

BA  Venture  Partners,  New 
Enterprise  Associates,  CMEA 
Ventures,  Chevron  Ventures 

Total  VC 
funding: 

$8.5M 

$8.5M 

Management: 

CEO  Eithan  Bauch,  former  CEO 
of  IP  telephony  vendor  Tundo, 
also  worked  at  Pacer/CATS. 

CEO  Bob  Walters  was  formerly 
at  Securent Technologies  and 
before  that  at  Linuxcare,  Informix 
and  Red  Brick  systems. 

How  secure  is  your  digital  information? 


Protect  your  information  with  the  Data  Security 
Kit  from  Sharp.  Financial  facts,  personnel  records, 
customer  lists:  networked  copiers/printers  process 
sensitive  information  every  day.  Unfortunately,  their 
hard  drives  can  also  be  accessed  via  the  network, 
contributing  to  $60  billion  worth  of  information 
theft  every  year.*  To  protect  this  weak  link  in  your 


corporate  security,  we've  created  our  Data  Security 
Kit.  It's  the  first  copier  and  printer  protection  to 
be  validated  by  Common  Criteria,  a  government- 
sponsored  program,  and  it's  available  only  with 
our  Digital  IMAGER™  series  of  copiers/printers. 
Sharp's  Data  Security  Kit.  Enhanced  information 
protection  at  your  fingertips,  sharpusa.com/security 


\  ‘  Common  Criteria 
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SERIOUS  EVENT  LOG  MANAGEMENT. 

WITHOUT  THE  BULL." 


Installing  some  of  today's  mega  management  software  packages  is  often 
like  unleashing  a  bull  in  a  china  shop,  or  at  least  in  your  network. 

This  is  why  Dorian  Software  Creations'  modular  approach  lets  you  decide 
and  deploy  the  event  log  management  strategy  that  works  best  for  you  and 
best  meets  your  needs. 

Look  to  Event  Archiver™  for  automated  log  collection,  Event  Analyst™  for 
log  filtering  and  reporting,  and  Event  Alarm™  to  monitor  your  log  files. 
Finally,  they  combine  to  provide  the  only  patent  pending  total  solution  for 
event  log  management,  without  the  bull. 


?-pr  a  free  white  paper  and  other  tools  to 
you  build  an  affordable 
event  log  strategy,  visit  * 

www.doriansoftware.com/roi. 


[  www.nwfusion.com 
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■  CAREER  DEVELOPMENT 

■  PROJECT  MANAGEMENT 

■  BUSINESS  JUSTIFICATION 


Data  center  staffing 

Automation  and  virtualization  advances  could  force  IT  pros  out  of  work  if  they  don’t  evolve  their  skills. 


■  BY  DENISE  DUBIE 

While  IT  spending  is  on  the  rise,  high-tech  workers  shouldn’t  expect  to  see  a  similar 
increase  in  overall  IT  jobs,  as  new  technologies  to  automate  and  virtualize  data  center 
resources  could  make  some  network  administration  skills  obsolete. 


change,  staff  will  need  training  in  virtualization  and 
automation  tools  so  they  work  in  concert  with  the  net¬ 
work,  storage,  application  and  business  groups  to  deliver 
an  optimized  IT  service. 

“You  can  retrain  and  refocus  people  to  move  from 
being  pure  technologists  to  adopting  a  more  customer- 
oriented  approach  to  IX’  he  says. 


Server  consolidation 


More  than  half  of  100 
companies  Forrester 
Research  surveyed 
in  September  2003 
were  in  the  process 
of  rolling  out  server 
consolidation  in  the 
next  12  months. 


Don’t  know  3% 


No  plans 


Already  complete 

6% 

Piloting 

8% 


In  the  works 

Considering  it  51  %* 

28% 
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Scott  Hopkins  of  Harte-Hanks 
Data  Technologies  aims  to 
keep  staff  skilled  in  new  data 
center  technologies. 


Storage 

virtualization  only 

15% 


Both  storage 
and  server 
Server  virtualization 

virtualization  47% 
only  38% 


Virtualization 

In  another  Forrester  Research 
survey  in  June  2003,  nearly 
half  of  about  377  firms 
age  are  planning  storage  or 
ir  server  virtualization 

tion  projects.  Of  that 

group,  close  to  half  will 
pursue  both  types  of 
deployments. 


’Percentage  does  not  total  100,  due  to  rounding. 


TRACY  POWELL 


When  pointing  fingers  about  the  lack  of  IT  jobs  of  late, 
workers  and  industry  watchers  often  blame  offshore  out¬ 
sourcing,  but  in  fact,  new  technology  could  share  the 
blame.  AMR  Research,  Forrester  Research  and  Gartner 
separately  report  that  server  consolidation;  network, serv¬ 
er  and  storage  virtualization;  and  product  road  maps 
toward  utility  computing  ultimately  will  lessen  the  need 
to  add  entry-level  positions  in  enterprise  data  centers. 
And,  in  some  cases,  emerging  IT  implementations  could 
result  in  layoffs. 

“Any  time  you  automate  IT  tasks,  the  goal  is  to  reduce 
the  number  of  people  doing  it,”  says  Lance  Travis,  vice 
president  at  AMR.  “The  theory  is  these  types  of  tech¬ 
nologies  will  make  enterprise  companies  more  effi¬ 
cient  and  save  money,  and  one  way  to  do  that  is  by 
reducing  staff." 

Utility  computing  initiatives  from  companies  such  as 
EMC,  HR  IBM  and  Sun  propose  to  help  reduce  the  num¬ 
ber  of  physical  servers  in  data  centers,  virtualize  multiple 
instances  of  servers  and  applications  on  one  box,  and 
pool  network,  storage  and  server  resources  to  be  auto¬ 
matically  distributed  as  applications  and  end  users  de¬ 
mand. These  product  capabilities  could  reduce  the  need 
for  an  army  of  IT  workers  on  hand. 

Yet  such  technology  visions  aren’t  yet  a  reality,  says 
Travis,  who  adds, “There  is  no  immediate  cause  for  con¬ 
cern;  full-blown  deployment  of  these  data  centers  is 
years  away” 

Scott  Hopkins,  vice  president  of  technology  services 
and  planning  at  Harte-Hanks  Data  Technologies  in 
Billerica,  Mass.,  says  new  technologies  will  make  low- 
level  IT  jobs  a  thing  of  the  past.  But  IT  workers  should 
see  data  center  advances  as  a  chance  to  expand 
their  knowledge  and  add  new  skills  to  their 
resumes. 

Growth  opportunities 

“I  see  new  data  center  technology  as  a  growth 
opportunity  for  individuals  to  get  a  bigger  and 
more  global  view  of  how  technology  supports  the 
business,”  he  says. 

Hopkins  virtualizes  network,  server  and  storage 
resources,  and  considers  server  consolidation  an  on¬ 
going  IT  project  —  his  most  recent  effort  let  him  reduce 
a  mix  of  Windows  and  Linux  data  center  servers  by  20% 
to  30%.  In  the  Billerica  data  center,  Harte-Hanks  has 
about  47  Unix-based  Sun  Solaris  heavy-production 
servers, one  mainframe  and  a  few  hundred  Windows  and 


Linux  servers.That  location  has  about  45T  to  50T  bytes  of 
storage. 

He  plans  to  upgrade  when  products  that  support  a 
more  dynamic  data  center  emerge.  To  get  ready  for  this 


A  need  to  adapt 

But  not  all  data  center  staff  will  evolve  with  the  tech- 
nology.“It  can  be  difficult  and  traumatic  for  those  famil¬ 
iar  with  only  one  type  of  computing  or  resistant  to 
change.  And  they  could  lose  their  jobs  if  they  can’t 
adapt,”  Hopkins  says. 

Current  data  center  operations  exist  mostly  in 
k  silos,  or  buckets  of  technology  such  as  network, 
H  server,  storage  and  applications.  Future  data  cen- 
m  ter  implementations  will,  in  theory,  use  products 
m  that  can  scale  across  the  silos,  which  in  turn 
|  change  job  requirements  for  data  center  staff. 
Industry  watchers  say  that  while  fewer  staff  will 
be  needed  for  redundant,  day-to-day  tasks,  products 
can’t  replace  human  intelligence  and  experience. 
“There  may  not  be  a  big  demand  for  workers  to  swap 
storage  tapes  or  roll  out  a  new  server,  but  there  will 
always  be  a  need  for  the  human,  gut  reaction  to  IT 
events,”  AMR’s  Travis  says. 

Paul  Little  agrees.  As  configuration  manager  at  Fidelity 
Information  Services,  a  division  of  Fidelity  National 
Financial  in  San  Diego,  he  uses  virtualization  tools  from 
VMware  (acquired  by  EMC)  and  Softricity,  respectively. 
VMware  reduces  the  number  of  physical  servers  in  his 
data  center,  letting  Little  run  about  20  to  30  virtual 
servers  in  a  500-square-foot  data  center  that  houses 
about  100  Windows,  AS/400  and  Unix  servers. 

Little  deployed  Softricity  because  it  lets  him  run  and 
maintain  multiple  instances  and  versions  of  Fidelity 
Information  Services’  applications  on  fewer  servers.  It 
also  lets  users  access  more  applications  without  the  risk 
of  them  changing  applications  or  using  the  wrong  ver¬ 
sion.  Little  also  is  evaluating  storage-area  networks  to 
centralize  storage  resources,  which  is  another  way  to  cut 
costs  and  boost  operational  efficiency. 

Fidelity  Information  Services’  forays  into  virtualization 
have  reduced  the  need  to  add  more  physical  servers, 
trimmed  hardware  maintenance  costs  and  made  parts 
of  application  and  server  rollouts  easier,  but  Little  says 
the  new  data  center  technologies  have  yet  to  let  him 
leave  work  early.  In  fact,  he  adds  that  managing  multiple 
servers  on  one  box  and  several  instances  of  virtualized 
applications  adds  to  the  complexity  of  his  job 
“You  still  have  an  operating  system,  and  you  still  have 
to  install  and  maintain  everything  else  you  need,”  Little 
says.  “We’ve  accelerated  the  installation  process  so  we 
don’t  have  to  do  the  same  task  100  times, but  we  still  haw 
to  spend  the  time  to  do  it  right  once.”* 
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Free  Personal 
firewall  software 

www.hotbrick.com/download 
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Introducing  the  new 
HotBrick  family  of 
firewalls  &  managed 
secure  switches... 
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Call  for  more  info  (866)  468-2742 

or  visit  us  online  at  www.hotbrick.com 


Don't  get  hacked,  get  HotBrick 


US  &  Canada  Toil  free:  (800)  526-5958  •  Fax:  (952)  932-9545 


Custom  Management  Levels 


Test-drive  the  new  Observer  9  today  and  see  how  it  immediately 
finds  problems  you  didn’t  know  you  had,  optimizes  network  traffic 
and  provides  insight  for  future  planning.  Call  800-526-5958  for 
a  full  featured  evaluation  or  visit  our  website  at 

www.networkinstruments.com/nine 


OBSERVER 

•  Decode  over  500  protocols 

•  Long-term  network  trending  &  analysis 

•  Real-time  statistics 


Remote  &  Hardware  Options 


REMOTE  NETWORKING  PROBES 

•  Fully  distributed 

•  Monitor  up  to  64  NICs  simultaneously 

•  New  levels  of  problem  solving  collaboration 


EXPERT  OBSERVER 

•  What-ff  Modeling  Analysis 

•  Expert  Analysis 

•  Connection  Dynamics 

■t  -?.V’5  -L'.v-?  ’'v  .*'■’*  \ 

OBSERVER  SUITE 

•  Complete  SNMP  device  management 

'  •  Supports  full  RM0N1,  RM0N2,  HCRMON 

. 
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Introducing  Observer  9 


GIGABIT  &  WAN  HARDWARE  OPTIONS 

•  Portable  analyzer  systems 

•  Rack-mount  Probes  ready  to  go 

•  Direct,  passive  link  for  independent  views 


New  Application  Analysis 

Remote  probes  now  provide  multi-interface  and 

multi-session  support 

Industry-first  4GB  packet  capture  buffer 

Wireless  Site  Survey  Modes 

Nanosecond  resolution 

Now  over  450  Expert  Events 

SNMP,  RMON  and  now  HCRMON  support 


One  Network  /  Complete  Control  Wired  to  Wireless  •  LAN  to  WAN 


WA  #V 

OBSERVER 


OBSERVER 


www.networkinstruments.com/nine 

©  2004  Network  Instruments,  LLC.  All  rights  reserved.  Observer,  Network  Instruments  and  the 
Network  Instruments  logo  are  registered  trademarks  of  Network  Instruments.  LLC. 
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Enterprise  KVM  Solutions 

AlterPath™KVM 


Advanced  Console  Servers 

AlterPath'“ACS 


Network  Management  Gateway  Intelligent  Power  Distribution 

AlterPath1M  Manager  AIterPath,MPM 
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Cyclades'  data  center  management  solutions  offer  a  full  range 
of  security  features  across  its  entire  product  line  of  console  servers, 
power  management,  KVM,  biometric  scanner  and  network  management. 

With  SSH  v2,  IP  Filtering,  strong  authentication,  event  logging  and 
data  logging,  Cyclades  can  make  your  network  into  a  secure 
heavyweight  contender  in  the  data  center  world. 

LINUX 
INSIDE 

For  a  FREE  white  paper  on  data  center  security,  please  visit  us  at  www.cyclades.com/securitywp 


-  -  - 


■■  y  , 

•'  -/  MX.:-'*? 

i/t  y&j.-  •  --V  ,  / 

..'-cl 

■  ... 


a  ■ 


www.cyclades.com/nw 

1.888.cyclades  •  1.888.292.5233  •  sales@cyclades.com 


cyclades 

Everywhere  with  Linux 


©2004  Cyclades  Corporation.  All  rights  reserved.  All  other  trademarks  and  product  images  are  property  of  their  respective  owners.  Product  information  subject  to  change  without  notice 


1 04 

5/17/04 


lllteir 


~  NetworkWorid 

“  THE  HUB  OF  THE  NETWORK  BUY 


Company 
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Secure  Console  Port  Management 

Extend  Your  Reach 


CCM  Console  Manager  features: 


■  SSH  v2/Telnet  host 

■  Strong  authentication 

■  Offline  buffering 

■  SUN  break  safe 


■  In/out  of  band  access 

■  Point  and  click  access 
to  serial  consoles,  KVM 
and  power* 


*  To  be  provided  in  future  upgrade  for  the  48-port  model. 


Extend  your  reach 


Available  in  8,  16 
and  48-ports. 


Relax  and  fix  the  problem  from  virtually  anywhere. 

When  critical  servers  or  network  equipment  malfunction, 
the  Equinox  CCM  console  manager  and  AVWorks® 
management  software  give  you  the  tools  to  securely  and 
quickly  restore  normal  functionality  from  anywhere. 


For  your  free  white  paper  on 
Best  Practices  for  Secure 
Console  Port  Management  visit 

www.eq uinox.com/ccm4 

For  a  30-day  product  evaluation 
call  1-800-275-3500  ext.  247  or 
954-746-9000  ext.  247 


Dial  Access 
Client  or 


Local 


Telnet 


Terminal 


CCM  Console 


Manager 


Network 


Linux  Server 


SSH 

Client 


Serial 


Unix  Server 


Windows  Server  & 


Router 


Switch  m 


Power 


Control 


AVWorks 
Software  Client 


One  Equinox  Way,  Sunrise  FL  33351,  email:  sales@equinox.com  or  for  international  customers  email:  intlsales@equinox.com. 

©  2004  Avocent  Corporation.  Equinox  and  AVWorks  are  registered  trademarks  of  Avocent  Corporation  or  its  affiliates.  All  other  marks  are  the  property  of  their  respective  owners. 


UitraMatrix  Remote 

REMOTE  MULTIPLE  USER 
KVM  MATRIX  SWITCH 
ACCESS  OVER  IP  OR  LOCALLY 


UltraConsole 

PROFESSIONAL  SINGLE-USER 
KVM  SWITCH  SUPPORTS  UP 
TO  1000  COMPUTERS 


•  Connects  1,000  computers  to  multiple  user  stations 
over  IP  or  locally 

•  High  quality  video  up  to  1280  x  1024 

•  Scaling,  scrolling,  and  auto-size  features 

•  Secure  encrypted  operation  with  login  and  computer 
access  control 

•  Advanced  visual  interface  (AVI) 

•  No  need  to  power  down  servers  to  install 

•  Free  lifetime  upgrade  of  firmware 

•  Available  in  several  models 

•  Easy  to  expand 


Connects  up  to  1000  computers  to  a  KVM  station 
Models  for  4,  8,16  computers 
Advanced  visual  interface  (AVI) 

Compatible  with  Windows,  Linux,  Solaris,  and  other  O/S 

Connects  to  PS/2,  Sun,  USB,  or  serial  devices 

Converts  RS232  serial  to  VGA  and  PS/2  keyboard 

Free  lifetime  upgrade  of  firmware 

Security  features  prevent  unauthorized  access 

Full  emulation  of  keyboard  and  mouse  functions  for  automatic, 

simultaneous  booting 

Easy  to  expand 


RackView™ 

KVM  RACK  DRAWER  WiTH  KVM  SWITCH  OPTION 


800  333  9343 

WWW.ROSE.COM 


ELECTRONICS 


SERVERS  WITHIN  YOUR  REACH 
FROM  ANYWHERE 


A  KVM  switch  allows  single  or  multiple 
workstations  to  have  local  or  remote  access  to 
multiple  computers  located  in  server  rooms  or 
on  the  desktop  regardless  of  their  platforms 
and  operating  systems.  KVM  switches  have 
traditionally  provided  cost  savings  in  reducing 
energy  and  equipment  costs  while  freeing  up 
valuable  real  estate. 


Recognized  as  the  pioneer  of  KVM  switch 
technology,  Rose  Electronics  offers  the 
industry's  most  comprehensive  range  of 
server  management  products  such  as  KVM 
switches,  extenders  and  remote  access 
solutions.  Rose  Electronics  products  are 
known  for  their  quality,  scalability,  ease  of  use 
and  innovative  technology. 


Rosa  Electronics  Is  privately  held  with  world- 
headquarters  in  Houston,  Texas  and  sells  its 
products  worldwide  through  a  large  network  of 
Resellers  and  Distributors.  Rose  has 
operations  in  the  United  Kingdom,  Spain, 
Germany,  Benetux,  Singapore  and  Australia. 


Rd^efiectronics. 
L:07$7.Sftiilr!iff  Road 
Houston,  Texas'  77099 


ROSE  OS  •  +281  933  7673 

ROSElEUBOPE  '  +44  (0)  1264  850574 

ROSE  ASIA  65  6324  2322 

ROSE  AUSTRALIA  +617  3388  1 540 
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Microsoft  users 


Apply  for  your  own  FREE 
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subscribenw.com/b03 


FREE  subscription 
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Apply  online  at: 
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FREE 
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Raritan's  Dominion™  KX.  Better  KVM  Over  IP. 


As  your  company  grows  and  you're  responsible  for  more  and  more  networking  hardware,  you  have  two  options: 
Get  a  super-scalable  KVM  solution  now,  or  rip  and  replace  later.  Luckily,  the  new  Dominion  KX  lets  you  access, 
diagnose  and  monitor  hundreds,  even  thousands  of  servers  in  any  location  in  the  world  via  KVM  (Keyboard, 
Video,  Mouse)  without  ever  leaving  your  chair. 

With  Raritan's  19  years  of  innovation  in  the  Data  Center,  you  now  have  the  newest  and  most  dependable  choice 
for  an  integrated  KVM  over  IP  switch.  Dominion  KX  is  a  plug-and-play  appliance.  It's  incredibly  scalable,  as  you 
can  see,  delivering  dependable  performance  no  matter  how  big  your  company  gets.  And  by  encrypting  all  KVM 
data,  including  video,  Dominion  KX  provides  the  industry's  most  secure  KVM  over  IP  technology.  It's  the  KVM 
over  IP  solution  that  beats  the  other  options  again  and  again  and  again. 

Schedule  your  on-line  test-drive  today,  by  calling  1-800-724-8090  x1927 
or  by  visiting  us  at  www.raritan.com/927 
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The  KX  Digital  KVM  Switch 
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Management  Solution 
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western  telematic  incorporated 

5  Sterling  •  Irvine  •  California  926  1  8-25  1  7 


Celebrating  our  40th 
Year  in  DataCom 


“Keeping  the  Net...Workingl” 


m  Internal  33.6  Kbps  Modem 


■  Secure  Dlalback  Feature 
s  Password  Protection 
m  Invalid  Access  Lockdown 
B  Periodic  Modem  “AT”  Refresh 
B  Seven  RS232  DB-9  Console  Ports 
B  Any-to-Any  Port  Switching 
B  Non-Connect  Port  Buffering 
B  Data  Rate  Conversion  300  to  115K  bps 
B  AC  and-48  DC  Power  Options 


WWW . 


Wti.COm  (800)  854-7226 


The  APS-8M  Asynchronous  Port  Switch  is  a  cost 
effective  Terminal  Server  alternative,  plus  you  get  an  internal  modem 
which  saves  rack  and  cabling  hassles.  Connect  multiple  devices  for  on-site 
and/or  dial-up  remote  communications.  High  data  throughput,  full  modem 
and  data  flow  control  all  add  up  to  make  the  APS-8M  the  perfect  data  switch 
or  today’s  remote  network  management  applications. 
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Power  Control 


What’s  Your 
Current’  Load? 


I  Verify  Amps  Used  per  Circuit 

with  Sentry  Input  Current  Monitor 

•  Precisely  measure  the  current,  in  amps, 
for  each  power  circuit 

-  •  Prevent  overloads  on  existing  power  circuits 
;  •  .•  Reduce  costs  for  additional  power  circuits 
SV '  Overcurrent  alarms 


;  Remote  Measurement  via  IP  or  RS-232 
>  Loral  Measurement  via  digital  display 

.jr*. 

' 
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Stop  juggling  with 
multiple  management  tools 


ManageEngine' 

H\0  OpManager 

Network,  Systems  and  Application  Management 


Take  control  of  your  network,  systems  and  application 
infrastructure  before  it  controls  you.  OpManager  provides 
integrated  management  for  IT  infrastructure. 

Move  to  integrated  management.  Try  OpManager  today... 


Available  for  Linux,  Solaris  and  Windows 


"AdventNet')  www.opmanager.com 


FREE 

30  Day  Trial 
Download 
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Nail  it  with  OpenNetwork. 


If  you’re  faced  with  managing  and  securing  more  and  more  users,  resources  and  services 
in  a  complex,  multi-platform  business  environment,  one  solution  will  ensure  you  don’t  end 
up  banging  your  head  against  the  wall. 


OpenNetwork’s  non-intrusive,  end-to-end  identity  management  software  platform 
leverages  your  existing  technology  infrastructure  and  extends  it  across  heterogeneous 
platforms  to  meet  evolving  business  requirements. 


Features  and  functionality  include: 

>  A  single,  unified  point  of  Web-based  administration 
(available  in  .NET  and  Java  versions) 

>  Single  Sign-On 

>  Self-service  password  management 

>  Delegated  administration 


>  Automated  workflow 

>  Robust  provisioning 

>  Detailed  auditing 


To  find  out  more  about  OpenNetwork  or  to  try  our  product,  visit  www.opennetwork.com/goto/nw 


OpenNetwork  can  help  you  solve  immediate  business  problems  while  laying  a  foundation  that 
lets  you  add  functionality  on  an  as-needed  basis  to  meet  longer-term  goals,  such  as 
federation  and  Web  services  security.  It  eliminates  the  need  for  cumbersome  point  solutions, 
so  you'll  see  a  rapid  ROI  and  the  lowest  total  cost  of  ownership  in  the  industry. 


www.opennetwork.com  sales@opennetwork.com  727  561  9500 


OpenNetwork. 

North  America  Europe  Asia  Pacific 


Hammering  out 
a  plan  to  secure 
and  manage 
your  enterprise? 


Global 
Technology 
Associates,  Inc. 


1 -800-775-4QTA  •  wwvy.gta.com  ■  lnfo@gta.com 


Who  s  Protecting 

Your  HetworkP 


GTA  Firewall  Products 

Tough  Network  Security 


✓  Building  Firewalls  for  over  1 0  years 

✓  ICSA  4.0  Corporate  Certification 

✓  5  appliances  to  match  your  network  needs 

✓  Easy,  Flexible  Implementation  Options 

✓  IPSecVPN 

✓  Affordable  pricing 
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Instantly  Search 
Gigabytes  of  Text 
Across  a  PC,  Network,  Intranet  or  Internet 

Publish  Large  Document  Collections  to  the  Web  or  to  CD/DVD 


images 


♦  over  two  dozen  indexed,  unindexed,  fielded  &  full-text  search  options 

♦  highlights  hits  in  HTML,  XML,  &  PDF  while  displaying  embedded  [inks,  formatting  &  | 

♦  converts  other  file  types  (word  processor,  database,  spreadsheet,  email,  ZIP,  Unicode,  etc.) 
to  HTML  for  display  with  highlighted  hits 

“The  most  powerful  document  search 
tool  on  the  market”  -Wired  Magazine 


“intuitive  and  austere ...  a  superb 
search  tool”  -PC  World 


“Blindingly  fast”  -Computer  Forensics: 
Incident  Response  Essentials 

“A  powerful  arsenal  of  search  tools” 
-The  New  York  Times 

dtSearch  “covers  all  data  sources ... 
powerful  Web-based  engines”  -eWEEK 

“Searches  at  blazing  speeds” 

-Computer  Reseller  News  Test  Center 

In  the  past  two  years,  over  half  of  the 
Fortune  15  purchased  dtSearch 
developer  or  network  licenses. 

See  www.dtsearch.com  for: 

♦  hundreds  of  developer  case  studies  &  reviews 

♦  fully-functional  evaluations 

1  -800-IT-FINDS 

sales@dtsearch.com 


•  from  $2,500  '  *  from  $800 

The  Smart  Choice  for  Text  Retrieval®  since  1991 
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To  advertise  in  Network  World's  Marketplace 
call  Donna  Pompoai  at  1 .800.622. 1  1 08 


Ht  lino  logics,  inc. 
SANTA  CLARA,  CA  95054 
I  NFO@RECURRENT.  COM 
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WWW.SUUCASE.COM 

Luggage,  Fine  Leather  Goods,  Gifts,  and  more! 

Tumi,  Hartmann,  Andiamo,  Samsonite,  Cross 

10%  discount  for  Network  World  readers 
Enter  code  NWW2004 


Attention  Resellers! 


SECUREMATICS 

The  Right  decision  for  Security  Products 

Best  Source  for  SONICWALC 
Security  Products! 

LIMITED  TIME  OFFER! 

•  Earn  1  FREE  SonlcU  e*Tralnlng 
Class  for  every  $15K  In  SonicWALL 
purchases  from  Securematlcs." 

•  New  SonicWALL  Resellers  will  receive  1  FREE 

SonlcU  Electronic  Training  Course  with  purchase 
of  any  Demo  Unit  .„ - - 

5ecurematics  is  a  SonicWALL  Authorized  Distributor  &  Training  Partner 
To  sign  up  for  the  Medallion  Partner  Program,  please  contact  us. 

Call  -  888  -746-6700  saies@securematics.com  www.securematics.com 
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For  iviore  Information 
on  adv/ertlyin^  In 
Network  Wo r|</fs  Marketplace; 
800-(*ll-1l08 
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NE  OH  Equipment  Manufacturer 
seeks  Software  Application  En¬ 
gineer  to  design/develop/test 
OS  level  software/compiler  and 
application  modules  Develop 
applications  with  Client/Server 
and  N-Tier  architecture  on  Unix/ 
Linux.  Windows  9x/NT/2K.  DOS. 
using  C/C++.  DDK,  VB,  Java. 
PHP.  Perl  DB/App/Web  server 
Admin  and  troubleshoot  PCs / 
LAN  in  a  corporate  environment. 
Must  have  experience  with  Infor¬ 
mix  RDBMS  on  AIX,  ESQL/C. 
Vermont  View  Designer,  and  RF 
handheld  Must  have  C/C++, 
DDK.  VB/DCOM,  and  knowl¬ 
edge  in  Apache.  PostgreSQL, 
XML,  HTML.  CSS,  JavaScript. 
Truespace.  Master  s  degree  in 
Computer  Science,  2  yrs  in-job/- 
job  related  exp  Resumes:  HR 
Manager.  9280  Dutton  Dr.. 
Twinsburg.  OH  44087.  No  calls. 
EOE 


Software  Developer,  Sunrise,  FL 
(f/t)  -  dvlp  &  implement  web 
based  mortgage  applies.  & 
installations  prog.:  dsgn  & 
migrate  sves  to  new  techs  &  cre¬ 
ate  plugs-ins.  Use  C++,  C-Tree, 
InstallScript,  XML,  SQL,  TCP/IP, 
COM,  MFC  &  WinSock.  Offering 
prev  wage.  Rqts:  MA/MS  in 
comp-related  field  &  2  yrs  work 
exp  w.  above  techs.  Resume  to: 
Alan  Newman,  Mortgage 
Systems,  1643  N  Harrison 
Pkwy,  Bldg  H,  Suite  200, 
Sunrise,  FL  33323 


Computers  -  Product  Specialists 
needed.  Seeking  qualified  can¬ 
didates  possessing  BS  or  equiv¬ 
alent  and/or  related  work  experi¬ 
ence.  Duties  include:  Design, 
develop  &  implement  financial 
payment  processing  software 
products  in  the  areas  of  Card 
Issuing  &  Management,  Internet 
Payment  processing,  Inter¬ 
change  transaction  reconcilia¬ 
tion  and  Data  warehouse  MIS 
systems;  Work  with  Oracle.  Sun 
Solaris,  J2EE,  Unix  &  C++.  Exp. 
with  ENSCRIBE,  PATHWAY, 
TAL,  Non  Stop  SQL,  BEA  Tux¬ 
edo,  RACAL  HSM  a  plus.  Fwd. 
resume  &  references  to:  Opus 
Software  Solutions,  Inc.,  Attn: 
HR.  1480  Route  9  North,  #203, 
Woodbridge,  NJ  07095. 


Computer  Software  Associates 
(ICSA)  is  looking  for  IT  profes¬ 
sionals  to  customize  applica¬ 
tions  for  clients  and  business 
develop  and  operation  analyst  to 
promote  IT  business  &  place¬ 
ment.  BS/MS  or  equivalent  re¬ 
quired.  Must  have  related  expe¬ 
rience.  Please  contact  raahu- 
oonnala@icsa-us.com.  EOE 

Anacon  has  openings  for  IT  pro¬ 
fessionals  (software  engineers, 
programmer/system  analysts). 
Candidates  must  have  BS/MS, 
one-year  experience  is  a  mini¬ 
mum.  Skills  in  areas  of  C,  Cobol, 
Oracle,  SQL,  Sybase,  DB2, 
PeopleSoft,  SQA,  VB  are  plus. 
Contact  anacon@anacon.com. 
EOE 


Analyst  for  full  life-cycle  appln. 
sys  dev  &  maint  Design  &  ana¬ 
lyze  the  proj.  using  MS  Project, 
BPWin  Process  Modular  & 
ERWin  Data  Modular;  Dev  web 
applns  w/  ASP3  0,  IIS  Visual 
Interdev,  MS  SQL  Server  2000, 
MS  VB6.0,  HTML4.0,  DHTML, 
Style  Sheets  (CSS),  Java  Script 
1.2,  VBScript,  ADO  &  COM/ 
DCOM;  write  stored  procs. 
views,  triggers,  user  def.  fns; 
test  pages:  monitor  perf.  of 
apps  &  refine  utilities;  gather 
reqs.  on  web  projects;  lead  &/or 
assist  in  design;  dev.  use  cases, 
process  flow,  storyboards,  etc.; 
provide  training  &/or  tech, 
assist,  to  jr.  programmers;  per¬ 
form  code  review  of  web  applns. 
For  quality  of  code.  Prepare  § 
508  compliant  web  pages  to 
meet  accessibility  reqs.  w/ 
Bobby  Worldwide  5.0  &  d/load 
docs.  (MS  Word  Doc,  MS  Excel, 
MS  PP,  Acrobat  PDF  &  Crystal 
Reports).  MS  in  CS/Equiv.  +  2 
yr.  exp.  Comp,  salary.  Apply: 
BCA,  2180  Satellite  Blvd,  #325, 
Duluth,  GA  30097  with  proof  of 
work  authzn. 


Integrated  Software  Solutions, 
Inc.,  a  rapidly  growing  IT  con¬ 
sulting  Co.  has  permanent  pos 
open  for  Computer  Software 
Professionals  w/BS  or  equiv  & 
exp  in  one  of  foil  skills  or  in  com¬ 
bination; 

•  Administration-Win 
NT/2000/Unix 

•  DBA-Orade/Sybase 

•  PeopleSoft  &  related 
PeopleSoft  Tools 

•  Main  Frames-DB2,  CICS, 

JCL,  TSOP 

•  Oracle  Dvlpr- 
SQL/PL/SQL/Dvlpr  2000 

•  C,  C++.  VB,  J2EE.  ASP 

•  SAP  R/3  &  related  tools 

•  QA  Testing- 

WinRunner/LoadRunner/Silk/Ra 
tional  Suite/Test  Director 
ISS,  Inc.,  provides  competitive 
salary  &  benefits.  Applicants 
must  be  willing  to  relocate/travel 
to  various  unanticipated  Iocs 
throughout  US.  Send  resume  to: 
HR  Dept.,  ISS,  Inc.,  Attn:  HR,  55 
Princeton-  Hightstown  Rd,  Ste 
#103,  Princeton  Junction,  NJ 
08550  or  email  to  resumes@iss- 
inc-usa.com 


PROG.  ANALYST  - 
APPLNS  BUILD 

Dvlp  customized  applns  for  sin¬ 
gle  consolidated  build  for  all 
Windows  Service.  ASP  &  ASP- 
.net  files  for  financial  institutions. 
Config.  &  create  installtn  docs  to 
client  framework  specs.  Create 
directories  &  perform  white  & 
black  box  testing.  BS  in  Comp. 
Sci.,  MIS,  Electrical  or  Electron¬ 
ics  Engnrg  +  3  yrs  exp.  in  job 
offered  or  in  Software  Engnrg 
using  Applns  Build  reqd.  Must 
know  KONDOR.  NAnt,  Concur¬ 
rent  Versions  Systems,  Syman¬ 
tec  Visual  Cafe,  ASP.net,  J2EE 
and  financial  industry  experi¬ 
ence.  High  mobility  preferred.  40 
hrs/wk,  OT  as  reqd,  8  am  to  5 
pm,  $66,730/yr.  Submit  resume 
to:  Manager,  Butler  County 
CareerLink,  Pullman  Commerce 
Center,  112  Hollywood  Drive, 
Suite  101,  Butler,  PA  16001- 
5699.  Please  refer  to  Job  Order 
No.  WEB  417195. 


IT  PROFESSIONALS 
Manager 

(Glen  Mills,  Pennsylvania  and 
other  locations  through  the 
U  S  )  Oversee  technical  engag¬ 
ements  for  major  corporate 
clients.  Meet  with  client  manage¬ 
ment  to  assess  strategic  plan¬ 
ning  and  business  operational 
requirements  in  order  to  deter¬ 
mine  engagement  scope,  staf¬ 
fing,  and  budget.  Understand  in¬ 
dustry  specific  business  proces¬ 
ses,  identify  trends  and  define 
the  impact  of  those  trends,  pro¬ 
vide  information  to  clients  re¬ 
garding  the  potential  impact  of 
industry,  legislative  or  regulatory 
changes.  Review  engagement 
plans  with  assigned  professional 
staff  and  oversee  analysis  of 
client  business  operations  and 
engagement  issues  including 
financial,  production,  and  man¬ 
agement  related  projects.  Utilize 
technical  experience  with  entire 
systems  integration  cycles,  in¬ 
cluding  Rational  Requisite  Pro, 
Rational  Rose,  Rational  Suite 
Development  Studio  and  profi¬ 
ciency  in  multiple  programming 
environments  such  as  C/C++, 
Lotus  Notes,  as  well  as  relation¬ 
al  database  management  sys¬ 
tems  DB2.  Oracle,  SQL  Server 
and  Microsoft  Access,  to  direct 
Systems  Analysts  and  Program¬ 
mers  on  engagements  and  en¬ 
suring  quality  control.  Supervise 
the  implementation  of  operation¬ 
al  and  system  modifications  by 
client  corporations.  Formulate 
and  define  systems  scope  and 
objectives  for  engagements. 

Salary  $101,000  per  year.  Mon- 
Fri,  9:00  am  to  5:00  pm.  The  po¬ 
sition  requires:  Bachelor's  de¬ 
gree  or  equivalent  in  Computer 
Science.  Math.  Engineering 
(any).  Information  Systems  or 
Business  Administration  +  3 
years  of  experience  in  the  job 
offered  or  3  years  of  experience 
as  a  Senior  Software  Program¬ 
mer,  Senior  Consultant  or  Soft¬ 
ware  Programmer.  Must  have 
two  years  technical  experience 
with  Rational  Tools  (Rational 
Requisite  Pro.  Rational  Rose); 
programming  environments  (Cl 
C++,  Lotus  Notes)  and  relational 
database  management  systems 
(DB2.  Oracle,  and  SQl  Server). 
Employer  will  regard  a  foreign 
degree  to  be  equivalent  to  a 
U.S.  Bachelor's  degree  as  deter¬ 
mined  by  an  accredited  creden¬ 
tial  evaluation  service. 

Please  send  your  resume,  refer¬ 
encing  Job  Order  Number  WEB- 
416009  to  the:  PA  Careerlink, 
FLC  Unit,  235  W.  Chelten  Aven¬ 
ue,  Philadelphia,  PA  19144. 
EOE. 


Sr.  Member  of  Technical 
Staff/CAD  Eng.  wanted  by 
telecommunications  company 
based  in  Bedford,  MA.  Must 
have  M.S.  in  C.S.  plus  1  yr.  exp. 
including  ASIC.  Must  be  familiar 
with  logic/physical  design/opti¬ 
mization  algorithms,  logic  simu¬ 
lation  scheduling  and  1C  design 
flow.  Send  resume  to  H.R. 
Dept.,  Attn:  J.W.,  TranSwitch 
Corp.  3  Enterprise  Dr.,  Shelton, 
CT  06484. 


Required  Senior  Project  Director 
to  manage  professional  staff  in 
IT  discipline,  manage  and 
enhance  customer  relations  and 
identify  new  business  opportuni¬ 
ties.  Responsible  for  project 
planning,  strategizing  the  deliv¬ 
ery  and  working  closely  with  the 
onsite  /  offshore  team  to  ensure 
smooth  delivery.  Manage  the 
operational,  financial,  and  tech¬ 
nical  performance  of  the  pro¬ 
gram.  Maintain  an  environment 
to  promote  professional  growth 
and  staff  development.  Manage 
relationships  between  existing 
clients  and  potential  new  clients. 
Provides  leadership  and  guid¬ 
ance  to  staff.  Must  be  a  solution- 
oriented  individual.  Will  identify 
business  development  strate¬ 
gies.  Master's  degree  or  equiva¬ 
lent  with  a  concentration  in 
Management/related  studies 
with  3Yrs.  experience  in  job 
offered  or  in  job  involving  overall 
responsibility  for  operation  of 
independent  business  unit. 
Candidate  must  demonstrate 
experience  managing  multi-dis¬ 
cipline.  results-driven  programs. 
Candidate  with  engineering 
background  req.  Checkable  ref¬ 
erences  req.  Salary:  $100,000/ 
Yr.  Send  this  Ad.  &  2  copies  of 
your  resume/letter  of  qualifica¬ 
tion  to:  Job  Order  2004-131, 
P.O.  Box  989.  Concord,  NH 
03302-0989. 


System  Analyst  in  Fairfax,  VA 

To  monitor,  test,  analyze  and 
troubleshoot  wide  network  of 
users,  maintain  Integrity  of  web 
data  network.  Experienced  in 
client  server,  Internet  and/or 
Web  testing  Knowledge  of  Web 
technologies.  Knowledge  of  Bug 
Tracking  System.  Familiarity 
with  MP3  tech,  play  streaming 
audio  an  the  Internet  and  in 
HTML.  Exp  in  maintenance, 
and/or  trouble  shoot  of  data  net¬ 
work.  Maintenance  of  software 
quality  docs,  testing  checklist. 
Enter  And  Maintain  bugs  into 
Defect  Tracking  System.  Self- 
Motivated.  Ability  to  multitask. 
Time  mngmnt  and  org  skills. 
Strong  technical  writing  skills 
B.S.  in  Comp.  Science,  or  relat¬ 
ed  field  and  2  yr  exp.  Attractive 
salary. 

Fax  resume  to  Attn:  H  R.  Arab 
Media  703-968-4486. 


Programmers  &  Software 
Engineers:  Design/Develop 
Server  side/GUI/web  ena¬ 
bled  apps.  in  Microsoft. Net/ 
related  tools  suite,  Java 
suite,  SQL  Server/Oracle, 
Coldfusion,  COBOL,  Data 
Dictionary/Data  Diagram, 
AS400  &  rel.  tools.  Attn: 
HR,  6962  Main  St.,  Suite 
105,  Woodstock,  GA 
30188. 


CRM  Software  Development 

Manager  Multiple  openings 
Responsibilities  include:  man¬ 
agement  including  hands-on 
design,  development  and  imple¬ 
mentation  of  Internet/Intranet/ 
Web-based  Customer  Relation¬ 
ship  Management  (CRM)  soft¬ 
ware  systems  using  Microsoft 
Visual  C++.  Visual  Basic.  0-0 
Modeling,  COM/COM+,  IIS, 
ASP,  XML,  XSL,  XML  Schema, 
CSS,  Java  Script/VB  Script, 
DHTML,  ADO,  PL/SQL,  T-SQL, 
SQL  Server  2000.  Oracle  DB¬ 
MS,  Microsoft  Transaction  Ser¬ 
ver,  Visual  Interdev,  MS  Project. 
Visio.  Microsoft  VB.NET,  Biztalk 
Server  2000,  Rational  Rose, 
Windows  2000  Advanced  Ser¬ 
ver;  manage  the  design  and 
development  of  n-tiered  web 
architectured  applications;  and 
perform  budgetary  and  price 
analysis  for  CRM  development 
projects.  Must  have  a  Master’s 
Degree  in  Computer  Science  or 
a  related  field  and  three  years  of 
experience  as  a  Software  Engin¬ 
eer  or  in  a  related  occupation,  or 
a  Bachelor's  Degree  in  Comput¬ 
er  Science  or  a  related  field  and 
five  years  of  experience  as  a 
Software  Engineer  or  in  a  relat¬ 
ed  occupation.  If  interested,  sub¬ 
mit  resume  in  duplicate  to: 

Ms.  Cassandra  M.  Stewart 
Human  Resources  and 
Office  Manager 
CAS  Systems  of  America,  Inc. 
1100  Abernathy  Road 
Building  500,  Suite  750 
Atlanta,  Georgia  30328 


Systems  Analyst  (CO).  Design, 
code,  test  &  enhance  various 
components  (including  GUIs)  for 
convergent  billing  mediation 
solutions  including  ST500i  & 
ST5000i  &  Record  Keeping 
Servers  (RKS)  for  packet  cable. 
Estimate  development  &  testing 
efforts.  Prepare  Rational  Rose 
diagrams,  detail  analysis  & 
design  documents.  Manage  sys¬ 
tem  builds  &  system  integration. 
Performed  duties  using  latest 
technologies  such  as  COBOL. 
C,  C++,  JAVA,  JCL,  ORACLE. 
MS  Access,  SQL  Server,  Lynx, 
Unix,  Solaris.  HTML,  XML-XSLT, 
ASP,  VB  Script.  Java  Script,  & 
Rational  Rose  98,  BS/MS  in 
Computer  Science  or  any 
Engineering  or  related  field,  plus 
relevant  experience.  Send 
resume  to  Vivian  Fernandes, 
Manager  Resource,  MBT 
International,  Inc.,  8310  South 
Valley  Highway,  3rd  Floor, 
Englewood,  CO  80112. 


COMPUTER 

Stentor,  Inc.  currently  has 
opportunities  in  Brisbane, 
CA,  for  the  following  posi¬ 
tions:  Quality  Engineering 
Director,  Computer  Systems 
Analyst-Telecommuting  ok, 
Project  Director  (Director  of 
Partnerships  &  Alliances)  - 
Telecommuting  ok. 

Send  resumes  to 
jobs@stentor.com 

www.Stentor.com 


PROGRESS  SOFTWARE 
CORP  Is  seeking  qualified  can¬ 
didates  to  fill  the  following  soft¬ 
ware  professional  positions 

Sr.  Technical  Support  Specialist 
-  (2  positions)  -  Req  #  549 
Analyze,  diagnose  and  trou¬ 
bleshoot  business  software 
application  issues  of  Latin 
American  customers.  Identify 
defects  on  the  product  and  com¬ 
municate  with  Development  as 
needed;  B.S.  CS/MIS  or  equiv 
and  2  yrs.  that  includes 
PROGRESS  4GL,  PROGRESS 
DB,  ADM,  ActiveX  and 
AppServer;  distributed  comput¬ 
ing,  Java,  SQL-92.  Web  tech¬ 
nologies,  and  HTML.  Exp. 
resolving  customer  issues.  One 
position  fluent  Spanish  req;  one 
position  fluent  Portuguese  req. 

Principal  Software  Engineer/ 
Architect  -  Req  #  550 
As  a  senior  technical  leader  on 
the  Open  Edge  Dynamics  devel¬ 
opment  team,  specify,  design, 
develop,  integrate  and  docu¬ 
ment  new  middleware  product 
features  and  deliver  against 
aggressive  schedules.  Analyze 
business  requirements,  and 
translate  them  into  technical 
solutions  for  customers.  8  S.  CS 
or  Bus  or  equiv.  +  5  yrs  exp.,  3  of 
which  must  be  in  design  and 
development  of  complex  middle¬ 
ware  products.  Exp.  must  inc. 
PROGRESS  Dynamics  and 
large  database  design  with 
ERWIN. 

Interested  applicants  should 
submit  resume  to:  S. 

Fernandois,  Legal  Dept., 
Progress  Software  Corporation, 
14  Oak  Park,  Bedford,  MA 
01730-  Equal  Opportunity 
Employer.  For  immediate  con¬ 
sideration,  please  visit  our 
career  page  at 

http://careers.peopleclick.eom/C 
lient40_ProgressSoftware/BU1/ 
Externa  l_Pages_PSC/Job 
search.htm  and  apply  on-line, 
referring  to  the  requisition  #  for 
the  position  for  which  you  are 
applying. 


Computer  systems  control  coor¬ 
dinator:  Manage  central-site 
Linux.  Solaris,  Windows,  Mac 
server  and  TCP/IP  networking 
hardware  and  software; 
Administer  user  accounts  and 
security  mechanisms  on 
servers;  Develop,  customize, 
and  optimize  server  software 
and  network  applications; 
Provide  training  and  consulta¬ 
tion  to  end-users  and  other  sup¬ 
port  staff,  Recommend  policies 
and  procedures  to  effectively 
administer  enterprise  network 
services.  Implement  university 
wide  integration  of  Linux, 
Solaris,  and  Windows  Active 
Directory  using  LDAP,  Kerberos. 
PAM.  and  C  language.  Req.  BS 
or  equivalent  in  CS.  Must  be 
proficient  in  Linux/UNIX  internal, 
C,  PERL.  AD,  LDAP,  and 
Kerberos.  40  hr/wk,  8-5.  Send 
resume  to  Joe  Brenton, 
University  of  North  Florida  at 
4567  St.  Johns  Bluff  Road. 
South,  Jacksonville.  FL  32224. 


IT  Education  &  Training  Directory 


Contact  the  companies  listed  below 
to  help  you  with  your  training  needs! 


To  place  your  ad  please  call  800-762-2977 


IPexpert,  Inc. 

(866)  225-8064 

www.ipexpert.com 

CCIE  (R&S,  SEC,  and  C&S),  CCSP, 

CCNP,  CCNA,  IP  Telephony 


CBT  Nuggets 

(888)  507-6283  &  (541)  284-5522 
www.cbtnuggets.com 
Affordable  training  videos  on  CD 
MCSE,  MCDBA.  MCSD,  CCNA. 
Citrix,  Linux,  A+,  Net  + 
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Manager 

(Gien  Mills,  PA  and  other  loca¬ 
tions  throughout  the  United 
States).  Manage  client  and  con¬ 
sultant  teams  during  tasks  of 
writing  Business  Process 
Procedures  (BPPs)  and  test 
scripts  for  unit  testing  and  inte¬ 
gration  testing.  Oversee  staff 
development  of  Business 
Design  Scripts  (BDSs).  Define, 
communicate,  and  control  tasks 
of  process  designers,  configura¬ 
tors,  data  mappers,  trainers,  job 
role  definers,  developers,  and 
3rd  party  vendors.  Set  up  and 
monitor  progress  of  unit  and 
integration  testing.  Assist  with 
the  production  of  process 
designs,  system  configuration 
and  documentation  as  it  relates 
to  the  SAP  Quality  Management 
(QM)  and  SAP  Materials 
Management  (MM)  modules. 
Provide  training  seminars  to 
super  users  and  business  repre¬ 
sentatives  on  SAP  functionality 
for  the  Quality  Management 
(QM)  module  and  Materials 
Management  (MM)  module. 
Provide  expertise  in  integration 
points  between  Quality 
Management  (QM)  and  other 
modules,  such  as  PM  (Plant 
Maintenance),  SD  (Sales  & 
Distribution),  MM  (Materials 
Management),  PP  (Production 
Planning).  Salary  $100,895/ 
year.  Mon.-Fri.  9:00am-5:00pm. 

The  position  requires  a 
Bachelor's  degree  in  Computer 
Science,  Mathematics,  Business 
Administration,  Engineering 
(any  type)  or  Information 
Systems  (employer  regards  a 
foreign  degree  as  equivalent  to 
a  U.S.  Bachelor's  degree  as 
determined  by  an  accredited 
education  evaluation  service)  + 
5  years  experience  in  the  job 
offered  or  5  years  of  experience 
as  a  Senior  Consultant  or 
Consultant.  Related  experience 
must  include  at  least  3  years  of 
experience  in  SAP  Quality 
Management  (QM),  modules; 
SAP  Materials  Management 
(MM)  modules;  Business  Design 
Scripts  (BDSs);  Business 
Process  Procedures  (BPPs); 
and  integration  points  between 
Quality  Management  (QM)  and 
other  modules  such  as  PM,  SD, 
MM  and  PP. 

Please  send  your  resume,  refer¬ 
encing  Job  Order  Number  WEB 
415991  to  the:  PA  Dept.  FLC 
Unit,  235  W  Chelten  Ave., 
Philadelphia,  PA  19144.  EOE. 


SOFTWARE  ENGNR 

Resp.  for  testing,  verification, 
config.  &  deployment  of  engnrg 
software  sys.  utilized  in  the 
operation  of  co's  chem.  &  bio¬ 
logical  facilities.  Specific  duties 
incl:  (i)  devising  stndrds  &  proce¬ 
dures  for  deployment  of  propri¬ 
etary  engnrg  software;  (ii)  test¬ 
ing,  configuring  &  implementing 
engnrg  software  for  co's  opera¬ 
tions;  (iii)  advising  technical 
groups  within  co's  Logistics  & 
infrastructure,  Mechanical,  Pro¬ 
cess  Technology,  Process  An¬ 
alyzer,  Construction  as  well  as 
Project  Engnrg  Groups  with 
respect  to  engnrg  software's 
compatibility  with  co’s  other  soft¬ 
ware  sys. /tools;  (iv)  overseeing 
engnrg  software's  compliance 
with  data  integrity,  incl.  archival, 
retrieval  &  backup  functions;  & 
(v)  testing  new  hardware  &  soft¬ 
ware  for  entire  co's  tech,  groups. 
BS  in  Electrical  or  Chem. 
Engnrg  reqd.  Must  have  working 
knowledge  of  Matlab,  Visual 
Basic,  Access,  MS  Excel  as  well 
as  Honeywell  Control  Language 
to  test  &  config.  distributed  con¬ 
trol  sys.  for  chem.  plants.  High 
mobility  preferred.  40  hrs/wk, 
OT  as  reqd,  8  am  to  5  pm, 
$66,730/yr.  Qualified  applicants 
please  submit  resume  to:  Site 
Manager,  Beaver  County 
CareerLink,  2103  Ninth  Avenue, 
Beaver  Falls,  PA  15010-3957. 
Please  refer  to  Job  Order  No. 
WEB  417588. 


IT  PROFESSIONALS 
Consultant 

(Glen  Mills,  Pennsylvania  and 
other  locations  through  the 
U.S.).  Under  the  supervision  of 
Senior  Managers,  Managers, 
and  Senior  Consultants,  assist 
in  providing  consulting  services 
for  implementation,  testing,  de¬ 
velopment,  maintenance  and 
enhancement  of  software  appli¬ 
cations  utilizing  the  Rational 
Unified  Process  (RUP)  method¬ 
ologies  as  well  as  Integrated 
Justice  industry  standards,  and 
accompanying  technology/de¬ 
velopment  tools  including  Visual 
Age  for  Java,  Rational  Rose, 
Rational  RequisitePro,  Rational 
ClearQuest,  and  environments 
including  OS/390.  Document 
system  architectures  in  Unified 
Modeling  language  using  Ra¬ 
tional  Rose.  Conduct  System 
Performance  Monitoring.  Imple¬ 
ment  unified  change  control  and 
management  procedures  based 
on  the  Rational  Unified  Process 
(RUP)  methodologies  using 
Rational  ClearQuest.  Assist  to 
formulate  and  define  computer 
information  system  scope  and 
objectives  through  research  and 
fact-finding  to  develop  or  modify 
moderately  complex  information 
systems  tailored  to  client  man¬ 
agement  requirements.  Assist  in 
analyzing  and  revising  existing 
system  logic  difficulties  and  doc¬ 
umentation. 

Salary  is  $81,000  per  year.  Mon- 
Fri,  9:00  am  to  5:00  pm.  The 
position  requires:  Bachelor's  de¬ 
gree  or  equivalent  in  Computer 
Science,  Math,  Engineering 
(any),  Information  Systems  or 
Business  Administration  +  2 
years  of  experience  in  the  job 
offered  or  2  years  of  experience 
as  a  Systems  Analyst  or  Consul¬ 
tant.  Related  experience  must 
include  at  least  one  year  of 
Rational  RequisitePro,  Rational 
ClearQuest,  Rational  Rose,  Inte¬ 
grated  Justice  Industry  Stand¬ 
ards,  Visual  Age  and  OS/390. 

Please  send  your  resume,  refer¬ 
encing  Job  Order  Number  WEB- 
415763  to  the:  PA  Careeriink, 
FLC  Unit,  235  W.  Chelten  Aven¬ 
ue,  Philadelphia,  PA  19144. 
EOE. 


MA  based  Company  has  open¬ 
ings  for  Software  Engineers  & 
DBA's:  (Multiple  openings):  Re¬ 
search,  Analyze,  Design,  Devel¬ 
op,  Test,  diagnose,  and  imple¬ 
ment  various  business  applica¬ 
tions. 

Implementing,  upgrading  and 
supporting  Oracle  Financial  Ap¬ 
plications  10.7NCA/11i  or  Oracle 
HR,  Payroll,  Training  and  Admin¬ 
istration.  PL/SQL,  SQL'Plus, 
SQL'Loader,  Discoverer  2000, 
Developer  2000,  OAS,  Forms 
(6i),  Reports  (6i),  TOAD,  experi¬ 
ence  on  AP,  GL,  PO,  FA,  CM, 
PSB,  SYSADMIN  &  AR  Modules. 
Oracle  DBA,  Oracle  Utilities, 
Unix  Shell  Scripting,  PL/SQL, 
Erwin  Data  Modelling/Designing. 
Interwoven  TeamSite,  Installing 
and  upgrading  Teamsite,  Temp- 
lating,  WorkFlow  Management, 
Content  Management  System, 
Open  Deployment,  MetaTagger, 
ASP.NET,  C#,  Visual  Studio.NET, 
XML,  XSLT,  SQL  SERVER2000, 
Oracle9i.  Dreamweaver  4.0  MX, 
Crystal  Reports6.0,  Lawson  Ap¬ 
plication  8.X, Unisys  2200, Sun 
Solaris  2.9,  Teradata  Dataware- 
house,  COBOL,  JCL.VSAM.CICS 
,DB2, MVS, IMS, VSAM, Expeditor, 
Spufi, File-aid,  PMX,  EDI  Gentran 
/  Mercator,  AS/400, ILE-RPG  IV, 
CL/400,  SQL/400,  MAPICS, 

Query/400  and  DB2/400, Lotus 
Notes,  PeopleSoft  HR/Finan- 
cials,  BAAN  ERP,  BAAN  tools, 
SAP  R/3  and  ABAP/4,  Web 
Technologies  like  Java,  J2EE, 
JDBC/ODBC,  Websphere,  MQ 
Series,  EJB,  C/C++,  Visual  C++ 
(MFC).  Embeded  Systems, 
Win32  API,  Visual  Basic  6.0,  ATL 
COM/DCOM  (MTS2.0),  CORBA, 
Tuxedo,  .Net  Webservices,  Cold 
Fusion,  CFMX,  Datawarehous¬ 
ing  Informatica  and  Datastage. 
SAS  3,  WinRunner  6.0,  Silk, 
Load  Runner,  Rational  Suite, 
SQA  Suite. 

DBA's  must  have  experience  in 
installation,  migration,  moving, 
setup,  monitoring  and  trouble 
shooting  of  various  database 
applications.  May  require  travel 
to  client  sites.  Software  Engineer 
$78,000  &  up;  DBA:  $60,000  and 
up.  Mail  resume  to  CRG  Inc,  222 
Turnpike  Road,  Suite#  9B, 
Westboro  MA01581. 


Computer 

Monarch  Info  &  Technological 
Services,  Inc.,  an  IT  Co.,  has 
openings  for  Software  En¬ 
gineers  &  Programmer  An¬ 
alysts.  Candidates  must  pos¬ 
sess  BS  degree  in  CS, 
Engineering  or  related  field 
plus  2  yrs  of  progressive  exp. 
Send  resume  w/sal  reqmnts 
to: 

8891  Watson  St„  #  201 
Cypress,  CA  90630 
email: 

resumes@mitsinc.com 


Usability  Architect  to  develop 
user-oriented  interfaces  based 
on  Cognitive  Ergonomic/HCI 
principles.  Requires  Masters 
degree  with  focus  in  HCI,  plus  2 
yrs.  experience  as  Usability 
Engineer  involving  computer 
software  development  including 
cognitive  task  analysis,  usability 
testing,  heuristic  evaluation,  in¬ 
ferential  statistical  analysis, 
advanced  web  technology  (AS- 
400,  HTML,  Webserver  and 
computerized  graphics  design) 
and  Yield  Management  princi¬ 
ples.  Send  resume  to  IS  Human 
Resources,  Attn:  JMVL,  Craw¬ 
ford  Group,  600  Corporate  Park 
Dr.,  St.  Louis,  MO  63105. 


Software  Engineers  for  our 
Naperville,  IL  and  Charlotte, 
NC  offices.  Design  &  Develop 
software  applications  using 
C++,  Oracle,  Sybase,  XML, 
Coolgen,  Interwoven,  Clear- 
Case,  ClearQuest,  Plumtree, 
ITS,  PVCS,  UNIX.  Bachelors  or 
Equivalent  req'd  in  Computers, 
Engineering,  Math  or  related 
field  of  study  +2  yrs  of  related 
exp.  40  hrs/wk.  Must  have  legal 
authority  to  work  permanently 
in  the  U.S.  Send  resume  to  HR 
Manager,  Softsol  Resources, 
Inc.,  184  Shuman  Blvd.  Ste. 
200,  Naperville,  IL  60563. 


InstallShield/Java  Developer 
needed  at  client  sites  to  dsgn 
architecture  &  dvlp  enterprise 
level  installers  using  Install- 
Shield  MultiPlatform  &  dvlp  Java 
custom  beans;  create  installers 
&  pkges  using  InstallShield 
DevStudio/  AdminStudio,  Install- 
Anywhere  &  WISE;  code  using 
Java  tech  such  as  AWT.  SWING, 
RMI,  JNI,  JDBC,  EJB,  JSP,  & 
Sockets;  OS  used  incl  Win, 
Linux,  Solaris,  AIX  &  HP-UX. 
Apply  to:  Global  Consultants, 
Attn:  Hireme,  25  Airport  Rd, 
Morristown,  NJ  07960 


QA  Test  engineers  (TE3&TE4) 

West  Hills,  CA.  QA  design,  vali¬ 
dation,  benchmarking,  mainte¬ 
nance  &  troubleshooting  inte¬ 
grated  &  optimized  financial  soft¬ 
ware.  Define  Test  Objective, 
Modules  &  Regression  Testing 
for  Siebel  CRM.  Environ:  C++, 
Siebel  VB,  PL/SQL,  SQL  Server, 
Java  program  &  script.  Req: 
BS/CS/ENGG  Exp:  3  yr  (TE3),  5 
yr  (TE4)  including  2  as  QA/test 
Eng.  Exp  in  Testing  Tools  (eg. 
WinRunner,  TestDirector,  Load- 
Runner),  Siebel  testing  (TE4 
only)  or  validation,  regression  & 
performance  testing.  Resumes: 
N.  Green,  (ref:  QA),  SI,  3500 
Lenox  Rd,  #  200  Atlanta  GA 
30326. 


S/W  Eng  sought  to  perf  prod 
design,  sys  analysis,  &  prog 
activities  w/in  s/w  dev  lifecycle; 
write  functional  &  design  specs, 
prep  tech  doc  of  prod  sub-sys, 
conduct  unit  testing,  integration 
testing;  perf  s/w  defect  verifica¬ 
tion,  release  testing,  &  beta  sup¬ 
port.  Bach  degree  +  2  yrs  s/w 
dev  exp  in  SS7-based  apps 
req'd.  Must  have  knowledge  of 
SS7,  ISDN  User  Part,  standard¬ 
ized  telecomm  testing  tools, 
des/dev  C/C++  apps,  multi¬ 
threaded  &  multi-process  TCP/ 
IP  based  sys  in  UNIX  environ¬ 
ment,  &  Oracle  DB  apps. 
Contact  Lightbridge,  Inc.,  320 
Interlocken  Pkwy,  Broomfield, 
CO  80021  (Attn:  Pat  Jensen)  w/ 
2  resumes.  Job  #1465.0110 


Computer  Support  Specialist  - 
provide  computer  support, 
implemt  &  maintain  networked 
computer  system  &  security  for 
system.  Assist  in  manag'g  data¬ 
base,  develop  customized 
reports  thru  integrated  system 
for  process'g  inventory  levels, 
purchas'g,  sales  &  invoic'g. 
Assist  in  develop'g  websites, 
modif.s  &  tech.  Investigate  & 
resolve  user's  software  &  hard¬ 
ware  problems.  Train  users  & 
answer  inquiries  re  e-mail,  op'g 
systems  &  programm'g  lan¬ 
guages.  35  hrs.  2  yrs  exp  reqd. 
Fax  resume  &  salary  reqmts  to 
(305)  373-5596,  Attn:  Mr.  Baid, 
Karats  &  Facets. 


PROGRAMMER  ANALYSTS 
for  Raleigh,  NC  office.  Devel¬ 
op  &  maintain  software  appli¬ 
cations  using  Oracle,  SQL 
Server,  Erwin,  Linux,  Sybase, 
XML,  UML,  Interwoven,  Cool¬ 
gen,  ClearCase,  ClearQuest, 
Plumtree,  PVCS,  UNIX.  Bach¬ 
elors  or  Equivalent  reqrd  in 
Computers,  Engineering, 
Math  or  related  field  of  study  + 
2yrs  of  related  exp.  40  hrs/wk; 
Must  have  legal  authority  to 
work  permanently  in  the  U.S, 
Send  resume  to  HR  Manager, 
Globalways,  Inc,  184  Shuman 
Blvd.  Naperville,  IL  60563. 


Product  Analyst:  Req.  Bach¬ 
elor's  degree  in  Computer 
Science  or  related  field  plus  1  yr 
relevant  exp  to  perform  the  fol¬ 
lowing  duties:  write  &  maintain 
business  system  reqs.  for  soft¬ 
ware  products;  interact  &  com¬ 
municate  with  C++,  HTML  & 
XML  programmers  at  technical 
level;  review,  prioritize  &  advo¬ 
cate  for  end-user  needs;  per¬ 
form  data  &  statistical  analysis; 
conduct  user  training;  perform 
system  testing;  deploy  applica¬ 
tions.  Exp.  may  be  obtained 
prior  to  degree.  Liquidnet,  New 
York,  NY.  Fax  resume  to  646- 
674-2085.  Ref.  job  title.  No 
phone  calls. 


SYSTEMS  ANALYST 

Jacksonville,  FL  full  time  posi¬ 
tion  to  analyze  user  requirments, 
procedures,  and  problems  to 
automate  processing  or  improve 
existing  computer  systems.  Plan 
and  design  Windows  and  Unix 
Based  Client  Server  Web.  C++, 
Visual  Basic  and  Oracle  sys¬ 
tems.  Competitive  salary;  Must 
have  2  years  experience  as  a 
systems  analyst.  Mail  resume- 
to:  Elite  Information  Services, 
Inc.,  2021  Art  Museum  Drive, 
Ste.  110,  Jacksonville,  FL 
32207.  Attn:  F.  Thomas. 


Ringtone  Tool  Software 
Development  Leader  want¬ 
ed  by  comp  s/ware  dvlpmt 
Co.  Must  have  Bach  in 
Comp  Sci  or  related  +  5  yrs 
exp  reqd.  Knowl  of  web 
applic  prgmg  &  WAP  reqd. 
Must  be  fluent  in  Japanese 
&  English.  Respond  to: 
hr@improvista.com 


Programmer  Analyst  w/exp  to 
analyze,  design  &  develop  appli¬ 
cations  to  implement  Straight 
Through  Processing  using 
SWIFT  15022  standards  for  for¬ 
eign  exchange,  fixed  income, 
equities,  derivatives,  future  & 
options  types  of  trade  messages. 
Use  object  oriented  technologies 
with  C++,  C,  Perl,  Shell  Scripting, 
MQ  Series,  Oracle  PL/SQL, 
Sybase,  Sybase  Replication 
Server  &  MS  SQL  Server.  Use 
Mercator,  FS-Manager  Suite, 
TIBCO-RV,  Erwin,  Rational 
Unified  Process  and  V-Sheil 
server  on  Win  XP/2K/AIX/Soiaris 
&  VMS.  Mail  Res  to:  Open 
Systems  Technologies,  Inc.,  8 
Winter  Street,  6th  Floor,  Boston, 
MA  02108. 


Programmer  Analysts  needed  at 
client  sites  to  dsgn  &  dvlp  J2EE 
appls  using  Java2,  UML,  Dsgn 
Patterns,  XML,  Solaris  9, 
RDBMS  (Oracle),  OODBMS 
(Versant),  CORBA,  Rational 
ClearCase/ClearQuest,  Borland 
AppServer,  Perl,  MQSeries, 
LotusNotes/Domino  for  telecom, 
credit  &  finance  domains.  Apply 
to:  Hireme,  Global  Consultants, 
25  Airport  Rd,  Morristown,  NJ 
07960. 


Dictaphone  Corp.  looking  for 
Principle  Engineer  for  our  Strat¬ 
ford,  CT  office.  Must  have  M.Sc. 
degree  in  Comp.  Sc.  or  related 
field  &  5  yrs.  of  exper.  dvlping. 
telecom.  &  web-based  embed¬ 
ded  prods.,  incl.  at  least  3  yrs.  of 
exper.  dvlping.  call  recording 
systs.  on  QNX  platform,  as  well 
as  exper.  dvlping.  network  par¬ 
sers,  network  device  drivers, 
packet  filtering,  &  packet  sniff¬ 
ing,  &  programming  w/  C/C++. 
Please  send  resume  to  HR 
Dept.,  Dictaphone  Corp.,  3191 
Broadbridge  Avenue,  Stratford, 
CT  06614.  AD  CODE  -  JP. 


IT  Careers 
Wants  You! 

Take  the  hassle  out  of 
job  searching  and 
check  us  out  at 
www.itcareers.com. 
Today,  more  than,  ever, 
the  right  skills  fuel  the 
new  economy  and  IT 
Careers  wants  you  to  be 
there.  Check  us  out  at: 
www.itcareers.com 
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“  I  WISH  TO  AVAIL  MYSELF  TO  ALL  THAT  IS  ALREADY  KNOWN...”  Wilbur  Wright  once 
wrote  requesting  information  from  the  Smithsonian  about  flight.  100  years  ago  two 
bicycle  mechanics  leveraged  that  basic  knowledge  and  combined  it  with  their  own 
expertise  to  launch  propelled  flight. 

Propel  the  profit  velocity  of  your  business  to  new  heights  by  accessing  EMA’s 
ever-expanding  knowledge  repository.  Our  industry  leading  analysts  collect  timely 
market  data  that  strengthens  our  clients’  competitive  advantage.  Do  you  want  to 
know  how  your  products  really  compare  to  the  competition  in  the  eyes  of  your 
customers? 


EMA  can  empower  you  with  the  knowledge  that  will  propel  your  upward  flight 
in  deriving  business  value  from  technology  resources. 


Please  visit  us  at  www.emausa.com 


ENTERPRISE  MANAGEMENT 
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Sales  Offices 


Carol  Lasker,  Associate  Publisher/Vice  President 
Jane  Weissman,  Sales  Operations  Coordinator 
Internet:  clasker.  jweissman@nww.com 
(508)  460-3333/FAX:  (508)  460-1237 


# 


New  Yorit/New  Jersey 

Tom  Davis,  Associate  Publisher,  Eastern  Region 
Elisa  Della  Rocco,  Regional  Sales  Manager 
Apata  Joseph,  Sales  Associate 
Internet:  tdavis,  elisas,  ajoseph@nww.com 
(201)  634-2300/FAX:  (201)  634-9286  

Northeast 

Donna  Pomponi,  Director  of  Emerging  Markets 
Internet:  dpomponi@nww.com 
(508)  460-3333/FAX:  (508)  460-1237 

Mid-Atlantic 

Jacqui  DiBianca,  Regional  Sales  Manager 

Marta  Hagan,  Sales  Associate 

Internet:  jdibian,  mhagan@nww.com 

(6 1 0)  971-1530/FAX:  (610)  975-0837  _ 

Midwest/Central 

Eric  Danetz,  Regional  Sales  Manager 
Agata  Joseph,  Sales  Associate 
Internet:  edanetz,  ajoseph@nww.com 
(201)  634-231 4/FAX:  (201)  712-9786 

Northern  California/Northwest 

Sandra  Kupiec,  Associate  Publisher,  Western  Region 
Karen  Wilde,  Regional  Sales  Manager 
Miles  Dennison,  Regional  Sales  Manager 
Courtney  Cochrane,  Regional  Sales  Manager 
Maricar  Lagura,  Office  Manager/Sales  Assistant 
Teri  Marsh  Sales  Assistant 

Internet:  skupiec,  kwilde,  mdennison,  ccochrane,  mlagura, 

tmarsh@nww.com 

(510)  768-2800/FAX:  (510)  768-2801  

Southwest/Rockies 

Becky  Bogart  Randell,  Regional  Sales  Manager 
Victoria  Gonzalez,  Sales  Assistant 
Internet:  brandell,  vgonzalez@nww.com 
(949)  250-3006/FAX:  (949)  833-2857 

Southeast 

Don  Seay,  Regional  Sales  Manager 
Internet:  dseay@nww.com 
(404)  845-2886/FAX:  (404)  250-1646 

Customer  Access  Group 

Tom  Davis,  Assoc.  Publisher  Eastern  Region/General 
Manager,  Customer  Access  Group 
Shaun  Budka,  Director,  Customer  Access  Group 
Kate  Zinn,  Sales  Manager,  Eastern  Region 
Internet:  tdavis,  sbudka,  kzinn@nww.com 
(508)  460-3333/FAX:  (508)  460-1 237^ 

Fusion 

Kevin  Normandeau,  Vice  President,  Online 

James  Kalbach,  Director,  Online  Services 

Scott  Buckler,  West  Coast  Regional  Sales  Manager 

Stephanie  Gutierrez,  Online  Account  Manager 

Debbie  Lovell,  District  Sales  Manager 

Internet:  knormandeau,  jkalbach,  sbuckler,  sgutierrez, 

dlovell@nww.com 

(508)  460-3333/FAX:  (508)  861-0467 


IP 


MARKETPLACE 

Response  Card  Decks/MarketPlace 

Donna  Pomponi,  Director  of  Emerging  Markets 

Enku  Gubaie,  Senior  Account  Manager 

Caitlin  Horgan,  Account  Manager 

Jennifer  Moberg,  Account  Manager 

Chris  Gibney,  Sales  Operations  Coordinator 

Internet:  jcooper,  egubaie,  chorgan,  jmoberg, 

cgibney@nww.com 

(508)  460-3333/FAX:  (508)  460-1192 

IT  CAREERS 

Vice  President,  Nancy  Percival,  Western  Regional  Manager, 
Caroline  Garcia,  Central  Regional  Manager,  Laura  Wilkinson, 
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Along  and  winding  road 

Microsoft  last  week  laid  out  a  five-year  road  map  for  its  Windows  Server,  including  its 
first  commitment  to  a  ship  date  for  Longhorn  Server. 


Year 

Server  software 

Description 

2004 

Windows  Server  2003  for  64-bit 
extended  systems 

Single  code  base  for  64-bit  chips. 

Windows  Server  2003  Service  Pack  1 

Security,  performance  enhancements. 

(Additional  Feature  Packs) 

Includes  Server  Performance  Advisor,  Virtual 
Server  2005,  Windows  Update  Services. 

2005 

Windows  Server  Longhorn  beta  1 

First  official  beta. 

Windows  Server  2003  Update:  Code 
name  R2 

Focus  on  secure  information  access  and 
workload  optimization. 

2006 

Windows  Server  Longhorn  beta  2 

Feature  set  will  reflect  what  will  be  in  final  release. 

Windows  Server  2003  Service  Pack  2 

Feature  set  not  yet  announced. 

2007 

Windows  Server  Longhorn 

Operating  system  upgrade  featuring  .NetWeb 
services,  plus  security  and  management 
enhancemants. 

2008  and 
beyond 

_ 

Windows  Server  Longhorn  Update 

Will  likely  ship  late  in  2009  with  features  that 
weren’t  ready  in  2007. 

Windows  Longhorn  Service  Pack 

Unspecified  feature  enhancements  to  Longhorn 
Update. 

Server 

continued  from  page  1 

In  addition,  the  update  will  be 
bound  retroactively  to  the  five- 
year  support  life  cycle  of  the 
original  operating  system  re¬ 
lease,  meaning  users  will  lose 
years  off  the  life  expectancy  of 
the  software  and  years  of  free 
maintenance  support. 

However,  the  update  will  be 
available  at  no  charge  to  cus¬ 
tomers  with  Software  Assurance 
maintenance  contracts  or  corpo¬ 
rate  Enterprise  Agreements. 

Some  say  the  move  highlights 
the  fact  that  Microsoft  is  making 
it  tougher  for  users  to  reject  Soft¬ 
ware  Assurance,  a  maintenance 
program  that  is  part  of  Micro¬ 
soft’s  controversial  annuity  li¬ 
censing  plan.  When  Software 
Assurance  was  introduced  in 
2001,  many  users  determined  the 
program  would  increase  their 
software  costs  and  rejected  it. 

“This  will  wind  users  up  again 
because  it  gives  them  less  and 
less  choice  about  being  on 
Software  Assurance,”  says  Steve 
Dunton,  CTO  of  activAeon, 
which  develops  a  tool  that  ana¬ 
lyzes  license  usage.  “Microsoft 
knows  with  [Software  Assur¬ 
ance]  that  unless  they  bring  out 
new  software  within  the  three- 
year  life  of  the  contract  people 
won’t  buy  it.” 

With  server  software  develop¬ 
ment  now  on  a  four-year  cycle 


Security 

continued  from  page  1 

policy  compliance  strategy,  that’s 
expected  to  be  announced  in  the 
next  few  weeks,  Microsoft  is  look¬ 
ing  to  make  sure  its  patches  are 
in  place  before  a  user  is  allowed 
onto  a  network.  This  will  be 
accomplished  by  allowing  for  a 
period  of  “isolation”  while  secur¬ 
ity  updates  are  downloaded  to 
the  user,  sources  say 

The  capability  to  restrict  net¬ 
work  access  based  on  a  security 
check  of  a  computer,  whether  an 
internal  employee  or  trading 
partner,  is  increasingly  viewed  as 
desirable,  particularly  when  un¬ 
patched  Microsoft  software- 
based  machines  introduce  crip¬ 
pling  worms  such  as  the  recent 
Sasser  into  corporate  networks. 

Microsoft’s  plan  appears  similar 
to  Cisco’s  Network  Admission 
Control  initiative  announced  last 
November  with  the  three  leading 
anti-virus  vendors:  Network  Asso¬ 
ciates,  Symantec  and  Trend  Mi¬ 
cro.  In  that  plan  the  anti-virus 
companies  work  with  Cisco  to 


and  with  Software  Assurance 
contracts  covering  only  three 
years,  Microsoft  needs  some¬ 
thing  to  fill  the  gap  to  appease 
those  on  Software  Assurance. 

“Software  Assurance  is  a  nice 
side  effect  of  the  update.  It  gives 
value  to  people  with  [Software 
Assurance]  ,”says  Samm  DiStasio, 
group  product  manager  for  the 
Windows  Server  division. 

Some  customers  have  com¬ 


ensure  that  Cisco’s  trust  agent 
desktop  software,  which  will 
share  policy-compliance  data  it 
collects  with  Cisco  routers  and 
management  equipment,  also 
can  share  information  with  anti¬ 
virus  software  and  management 
consoles. 

Cisco  wants  the  three  anti-virus 
vendors  to  integrate  the  trust 
agent  into  desktop  anti-virus  and 
management  software.  The  trust 
agent  software  is  now  in  beta  and 
is  expected  to  be  released  next 
month. 

Microsoft  has  “the  same  thing 
from  a  quantitative  point  of  view” 
for  security  policy  compliance, 
says  John  Maddison,  director  of 
product  management  at  Trend 
Micro,  which  is  working  closely 
with  Microsoft.  Microsoft  and 
Cisco  have  the  same  goal:  Keep 
computer  users  from  the  network 
until  anti-virus  updates  or 
patches  are  added,  and  make  it 
easy  for  them  to  do  that. 

Instead  of  focusing  on  routers 
and  switches,  as  Cisco  has,  Micro¬ 
soft’s  approach  to  policy  compli¬ 
ance  will  depend  on  making 


plained  recently  about  not 
receiving  new  software,  and 
hence  no  value,  from  their  first 
Software  Assurance  contracts  for 
SQL  Server  and  Windows  XT 
which  are  set  to  expire  in 
June. But  as  with  every  other 
major  vendor,  Microsoft  does  not 
guarantee  software  upgrades 
as  part  of  its  maintenance 
contracts. 

“If  you  need  [Software  Assur¬ 


desktop  and  server  software, 
Active  Directory  and  DNS  servers 
accomplish  the  task  in  coordina¬ 
tion  with  anti-virus  software, 
Maddison  says.  Other  anti-virus 
software  vendors  are  involved  in 
the  effort,  but  Microsoft  said  it  was 
“too  early”  to  talk  about  vendor 
participation  and  declined  to  pro¬ 
vide  details. 

However,  during  his  May  4 
keynote  at  the  WinHEC  confer¬ 
ence  in  Seattle,  Jim  Allchin, 
Microsoft’s  group  vice  president 
for  platforms,  emphasized  the 
need  to  add  policy-compliance 
mechanisms  for  isolation  and 
security-related  checks  into 
Microsoft  products. 

“You  have  a  laptop,  you  con¬ 
nect  through  VPN  to  a  company, 
or  maybe  you  bring  the  laptop 
into  the  company  physically  and 
you  plug  it  in,  the  thing  is  isolated 
until  it  goes  through  a  set  of  tests,” 
Allchin  said. “We’re  working  with 
a  set  of  networking  partners  to 
pull  this  off  for  the  whole  experi¬ 
ence,  so  that  the  PC  is  isolated 
until  it  goes  through  an  approved 
set  of  IT  tests.”  He  added  these 


ance]  for  these  updates,  then  we 
are  screwed,  because  we  have 
made  a  corporate  decision  not 
to  purchase  [Software  Assur¬ 
ance],”  says  George  Defen- 
baugh,  manager  of  global  IT 
infrastructure  projects  for  petro¬ 
leum  company  Amerada  Hess. 
He  also  says  purchasing  an  up¬ 
date  and  sacrificing  two  or 
more  years  of  support  doesn’t 
make  any  sense. 


tests  would  be  at  the  discretion  of 
the  IT  manager. 

“What  could  that  be?  It  might  be 
that  it  has  to  have  a  certain  level 
of  updates  turned  on,  it  might 
have  to  have  a  certain  level  of 
anti-virus,  a  certain  level  of  anti¬ 
virus  signatures,  whatever?  Allchin 
said. ‘And  it  has  to  pass  that  test 
before  it’s  connected  to  the 
network.” 

Microsoft  is  expected  to  ship 
the  first  installment  of  what  it 
calls  its  isolation  technology  for 
marking  computers  for  security 
checks  later  this  year  with  Ser¬ 
vice  Pack  1  for  Windows  Server 
2003.  It’s  expected  to  work  with 
clients  connecting  to  a  network 
via  a  VPN.  Next  year,  the  company 
is  expected  to  release  Windows 
Server  2003  Update,  which  will 
add  wireless  and  wired  connec¬ 
tions  to  the  isolation  technology 

“This  is  the  notion  I’d  call  ‘just- 
in-time  security  It’s  the  notion 
timing  is  everything,”  says  Pete 
Lindstrom,  an  analyst  at  Spire 
Security  “And  it’s  resonating  a  lot 
with  end  users.” 

Lindstrom  says  a  number  of 


“Buying  Microsoft  infrastruc¬ 
ture  software  is  like  buying  a  per¬ 
ishable  item  at  the  grocery  store 
—  once  the  expiration  date  hits 
you  better  not  use  it,”  Defen- 
baugh  says. 

Some  analysts  say  the  support 
hit  and  Software  Assurance 
requirements  likely  will  dictate 
how  corporations  deploy  Micro¬ 
soft  software  in  the  future. 

“It  is  very  unlikely  that  people 
without  [Software  Assurance] 
will  buy  the  interim  release 
every  two  years;  they  will 
leapfrog  between  major  re¬ 
leases,”  say  A1  Gillen,  an  analyst 
with  IDC. 

That  scenario  is  what  makes 
Defenbaugh  think  Microsoft 
might  be  polluting  a  good  idea. 

“We  have  been  doing  a  lot  of 
thinking  about  our  own  technol¬ 
ogy  road  map,”  he  says.  “On  the 
surface  what  Microsoft  is  doing 
is  the  way  we  want  software 
delivered  —  features  are  option¬ 
al  and  we  can  install  them  at  our 
leisure.  When  you  have  huge 
releases  it  is  a  gut  wrench  to 
deploy  them.  If  that  can  get  more 
modular,  then  deployment  gets 
much  easier.  But  I  won’t  do  that 
under  [Software  Assurance].’’ 

Others  say  the  update  model  is 
a  good  news/bad  news  scenario. 

“It  is  good  they  are  providing 
this  functionality  as  it  is  avail¬ 
able,  but  on  the  other  hand  it  in¬ 
creases  the  work  we  have  to  do 
See  Server,  page  76 


smaller  software  vendors,  includ¬ 
ing  Citadel,  Sygate  and  Whole- 
Security,  have  security  policy- 
compliance  products.  Network 
Associates  has  worked  with 
Nortel  and  Check  Point,  for 
instance,  to  ensure  their  VPNs 
can  validate.that  a  user  has  the 
appropriate  anti-virus  signature 
updates  before  letting  the  user 
access  the  corporate  network. 

Last  week,  the  industry-stan¬ 
dards  organization  Trusted  Com¬ 
puting  Group  announced  that  by 
this  fall  it  will  publish  its  first  take 
on  a  technical  specification 
called  Trusted  Network  Connect 
that  could  be  used  in  a  multi¬ 
vendor  environment  for  compli¬ 
ance  checks  for  virus  and  patch 
updates.  Extreme  Networks, 
Foundry  Networks,  Funk  Soft¬ 
ware,  HP  Intel,  Juniper,  Meeting¬ 
house  Data  Communications, 
Network  Associates,  Sygate,  Sy¬ 
mantec  Trend  Micro  and  VeriSign 
are  involved  in  the  Trusted 
Network  Connect  effort.  ■ 
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continued  from  page  74 

for  testing  and  rollout,”says  one  IT 
architect  with  a  Fortune  100  man¬ 
ufacturer  who  asked  not  to  be 
identified.  "Windows  Server  2003 
will  take  us  two  years  to  roll  out, 
which  includes  testing  against 
our  installed  applications.” 

Microsoft  says  that  because 
the  updates  will  run  on  an  oper¬ 
ating  system  that  is  already 
deployed,  testing  chores  should 
be  minimized. 

One  aspect  of  the  update 
model  that  could  be  a  saving 
grace  is  that  while  an  update 
will  boast  new  features,  it  also 
will  include  the  free  Feature 
Packs  that  Microsoft  delivers 
after  a  server  operating  system 
has  shipped.  Users  can  install 
those  features  a  la  carte  and 
independent  of  the  update 
release.  Features  Packs  for  Win 
2003  include  Automated 
Deployment  Services,  Group 
Policy  Management  Console, 
Rights  Management  Services 
and  the  Server  Migration  Toolkit. 
Three  others  are  planned  before 
the  end  of  this  year,  including 
the  patch  management  tool 
Windows  Update  Services. 

But  the  update  model  does 
play  into  Microsoft’s  effort  to  de¬ 
fine  value  in  Software  Assur¬ 
ance,  experts  say. 

Over  the  next  two  months, 
Microsoft  will  see  hundreds  of 
thousands  of  maintenance  con¬ 
tracts  come  up  for  renewal, 
which  could  hold  billions  of  dol¬ 
lars  in  revenue.  The  company 
has  said  if  it  gets  less  than  a  10% 
renewal  rate,  it  might  indicate 
customers  don’t  value  Software 
Assurance. 

To  combat  that  thought,  Micro¬ 
soft  in  September  added  training, 
support  and  software  tools  and 
home-use  rights  for  Office  to  the 
Software  Assurance  menu. 

“This  [update  model]  could 
spur  sales  of  Software  Assur¬ 
ance,”  says  Steve  Kleynhans,  an 
analyst  with  Meta  Group.  “The 
whole  thing  is  for  Microsoft  to 
find  extra  goodies  to  throw  into 
the  pot  that  don’t  cost  them  a 
whole  lot.” 

Microsoft  has  dabbled  with  the 
concept  already  with  less-than- 
spectacular  results. 

Microsoft  Exchange  users 
became  upset  when  Microsoft 
recently  released  its  Intelligent 
Message  Filter,  but  made  it  avail¬ 
able  only  to  Software  Assurance 
customers  Si 

,  Bat  more  information  online. 
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continued  from  page  1 

Some  say  it  was  born  of  a  need 
to  avoid  the  prying  eyes  of  key¬ 
word  searches,  while  others  say 
it  was  really  just  a  form  of  graffiti¬ 
like  expression  in  a  drab,  text- 
based  world. 

“It’s  a  very  quick  way  of  identi¬ 
fying  who’s  in  your  gang,”  says 
Graham  Cluley  senior 
technology  consultant  for 
security  vendor  Sophos. 

In  the  late  1990s,  use  of  133t- 
speak  made  its  way  into  online 
chat  boards  and  online  games. 
Since  then,  it’s  been  overused  - 
mainly  by  teenagers  trying  to 
win  respect  among  hackers  — 
to  the  point  where  it  has  be¬ 
come  a  source  of  amusement 
or  annoyance. 


1  before  3  except  after  ( 

L33tspeak  leaves  a  lot  open  to 
the  writer’s  creativity,  but  there 
are  certain  rules  of  thumb  for 
cracking  the  code. 

The  first  and  most  basic  (V\/4r3z 
rule  of  133tspeak  is  to 
change  certain  letters  to  simi¬ 
lar-looking  numbers  or  symbols 
—  for  example, “e”  becomes  “3” 

“a”  becomes  “4”  or“@,”  and  so 
forth. 

The  second  rule  is  that  certain 
letters  need  to  be  transformed 
into  something  cooler,  ’Nettier  — 
and  frankly  more  133t.  If  a  word 
ends  in  an  “s,"  it  probably  ought 
to  end  in  “z”  instead,  so  “wares” 
becomes  “warez” —  or,  more  cor- 
rectly“w4r3z.”The  letter “x”  is  emi¬ 
nently  more  133t  than  “ck”;  with 
another  tweak  or  two,  that’s  how 
“hacker”  becomes  “h4x0r’’ 

Again,  there’s  a  lot  of  flexibility 
available  here,  and  the  writer 
could  choose  to  stick  with  letters 


Conversion  chart 

Here’s  a  handy  I33t 
character  exchange 
guide: 
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and  symbols  where  the  substitu¬ 
tions  are  fairly  easy  to  recognize 
—  or  the  writer  could  go  with  an 
“advanced”  133tspeak,  where  the 
characters  are  “drawn”  rather 
than  substituted. 

For  example, “M”  could  become 
“M”  and  “U”  could  become  “I  J” 
(see  chart  for  some  examples  of 
character  representations). 

It  seems  pretty  straightforward 


—  until  you  see  /A  l_0+  01=  +3X+ 
(“a  lot  of  text”). 

“It  does  require  skill  to  read 
and  write  quickly  especially 
when  you  get  away  from  close 
representations  of  actual  letters,” 
says  Elias  Levy,  architect  of 
DeepSite  services  at  Symantec. 

A  state  of  mind 

Just  as  important  as  the  way 
stuff  is  written  are  the  words 
themselves,  as  133tspeak  in¬ 
cludes  a  vocabulary  all  its  own. 

The  word  “133t”  itself  (also 
“L337”)  is  really  “leet,”  a  corrup¬ 
tion  of  “elite”  and  meaning  some¬ 
one  who  is  very  good  at  what 
they  do.  The  opposite  would  be  a 
“nOOb”  (short  for  “newbie”)  or  a 
“lamer”  (also  “llama”). 

If  someone  says  you  have 
been  “owned”  (written 
“0wn3d,”  or  even  “pwn3d,”  as 
somewhere  along  the  way  the 
latter  became  an  acceptable 
misspelling),  it’s  not  a  good 
thing,  as  it  means  they  have 
beaten  you  pretty  badly  in 
some  fashion.  Similarly,  to  say 
something  “Ownz”  means  it  is 
pretty  cool,  and  “ownage” —  er, 
“0wn493” —  is  a  general  excla¬ 
mation  of  coolness.“W00t”  is 
also  an  exclamation,  meaning 
“hooray” 

There  are  several  places  where 
the  average  IT  person  might  see 
133tspeak. There  could  be  133t- 
like  wording  in  the  subject  line 
of  a  spam  e-mail  message  (say, 
“vlagr@”)  as  an  attempt  to 
sneak  past  a  spam  filter. 

It  also  can  sometimes  show  up 
in  the  posturing  of  virus  writers. 
Sophos’  Cluley  pointed  out  a 
rant  that  was  dropped  on  users’ 
desktops  by  the  W32/Yaha-K 
worm,  written  by  an  Indian 
hacking  group  called  the  Indian 


Snakes: 

m@iN  mlssIoN  iS  tO  sPreAd 
tHe  nAmE  @YerH$ 
sOO  mUch  tO  cOme... 
eXp3ct  th3  uNeXp3ctEd 
dEdic@t3d  tO  :  mY  b3$t  fRi3nD 
Still,  only  the  lowest  echelon 
of  hackers  —  the  so-called 
“script-kiddies” — would  ever 
write  like  this,  says  Joe  Hart¬ 
mann,  director  of  North  Ameri¬ 
can  AV  research  for  Trend 
Micro. 

“The  hackers  who  want  to  be 
recognized  for  what  they  do 
refrain  from  using  133tspeak,” 
he  says.  Although  those  in  the 
anti-virus  profession  might 
come  across  such  writing 
often,  they  don’t  exactly  incor¬ 
porate  it  into  their  own  lingo. 
“In  the  security  industry,  you 
don’t  want  to  make  yourself 
look  even  younger  than  you 
are,”  Hartmann  says. 

Today  133tspeak  is  considered 
by  many  to  be  a  joke.There  are 
133tspeak  “translators”  available 
online,  to  h4x0r-ize  any  English 
phrase  typed  in.  One  such  trans¬ 
lator  places  “hacker”  alongside 
other  “dialects”  such  as  “red¬ 
neck, ’’“jive”  and  “cockney!’ 

There  is  even  a  L337.com 
e-commerce  site  offering  T-shirts 
emblazoned  with  the  phrase  “1 
4/\/\  L337” —  along  with  boxer 
shorts,  lunchboxes,  coffee  mugs, 
wall  clocks  and  other  133tspeak 
merchandise. 

Ironically  to  speak  133t  —  at 
least,  to  excess  —  is  to  betray 
the  fact  that  one  is  not  133t.And 
to  wear  a  baseball  cap  pro¬ 
claiming  one’s  “ski  llz”?  What 
does  that  say?  ■ 
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disabled,  it  is  easy  for  a  hacker  to  compromise  the  integrity  and  secur¬ 
ity  of  a  Bluetooth  device.” 

Dell  has  been  using  AirDefense’s  just-announced  BlueWatch  to  mon¬ 
itor  cell  phones,  some  printers  and  sometimes  ad  hoc  Bluetooth  net¬ 
works  in  Vigilar’s  offices  and  elsewhere  in  the  building.  Recently  a  vis¬ 
iting  vendor  was  giving  Vigilar  staff  a  presentation,  with  Bluetooth 
enabled  on  his  laptop.  A  Vigilar  engineer,  using  BlueWatch,  noticed 
some  anomalies,  indicating  an  attempt  to  connect  to  the  laptop.  The 
group  found  a  client,  waiting  downstairs,  who  was  trying  to  make  the 
connection. 

AirDefense  co-founder  Jay  Chaudhry  tells  the  story  of  how  his  own 
chief  security  officer  demonstrated  how  it  was  possible  with  a 
Bluetooth  cell  phone  to  use  someone  else’s  Bluetooth  cell  phone  to 
actually  make  a  call. 

There’s  no  easy  solution.  As  with  so  much  in  wireless  security  edu¬ 
cating  users  is  a  key  step. 

“We  need  to  make  users  more  aware  of  yet  another  potential  vul¬ 
nerability’  HomeBanc’s  Ciarochi  says.  “They  have  to  make  sure  they 
take  care  of  their  wireless  connection.”* 
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Worry,  worry,  worry,  worry 


orry  No.  1 :  Last  night  I  was  re¬ 
searching  songs  about  the 
Earth  for  my  son’s  fifth  grade 
class.  In  the  process  I  found  a  Web 
site  that  caused  my  copy  of  Syman¬ 
tec’s  Norton  Anti-Virus  to  go  into 
hysterics. 

What  Norton  found  was  a  threat 
that  the  company  calls  MHTMLRedir.This  is  an  inter¬ 
esting  hacker  exploit  that,  according  to  Symantec, 
involves  a  Web  page  containing  “specially  crafted, 
HTML  code  that  can  download  and  execute  pro¬ 
grams  without  prompting  you. This  threat  only 
affects  Microsoft  Internet  Explorer’’ 

Symantec  went  on:“Under  normal  conditions, 
Internet  Explorer  would  prompt  you  before  allowing 
any  executable  content  to  be  downloaded  and  exe¬ 
cuted  on  the  system. This  vulnerability  in  Internet 
Explorer  allows  specially  crafted  HTML  to  bypass 
this  security  prompt.” 

Microsoft  issued  a  patch  for  this  problem  — 
“Microsoft  Security  Bulletin  MS04-013,  Cumulative 
Security  Update  for  Outlook  Express”  (www.nw 
fusion.com,  DocFinder:  2045)  on  April  13,  and  while 
the  bulletin’s  title  only  refers  to  Outlook  Express,  in 
the  text  it  says  “an  attacker  [could]  access  files  and 
take  complete  control  of  the  affected  system. This 
could  occur  even  if  Outlook  Express  is  not  used  as 


the  default  e-mail  reader  on  the  system." 

So,  if  I  have  been  rejecting  patches  offered  through 
Microsoft’s  automatic  Windows  update  system  be¬ 
cause  I  don’t  use  Outlook  Express,  am  I  potentially  to 
use  a  technical  IT  term, screwed? 

Let’s  bottom  line  it,  baby: This  means  the  patch  isn’t 
for  Outlook  Express  at  all!  It  means  the  patch  is  for 
the  operating  system.  So,  which  Microsoft  product 
manager  should  I  shake  warmly  by  the  throat  for  this 
ridiculous,  dangerous  and  unnecessary  obfuscation 
of  the  truth?  I  am  seriously  worried. 

Worry  No.  2:  What  other  Microsoft  patches  fix  things 
that  we  don’t  know  about?  A  suspicious  person 
might  conclude  that  if  the  company  doesn’t  tell  you 
what  the  patch  is  really  for,  then  Microsoft  might  also 
be  patching  things  that  no  one  knows  are  broken. 

We  should  be  worried. 

Worry  No.  3:  But  let  me  be  really  paranoid:  Micro¬ 
soft  easily  could  be  adding  code  to  our  systems  that 
we  know  nothing  about. 

Given  that  Adobe,  HP  and  other  vendors  surrepti¬ 
tiously  added  anti-counterfeiting  features  to  their 
products  without  telling  anyone  and  without  ever 
seeing,  as  far  as  anyone  knows,  the  source  code  in¬ 
volved,  what  might  Microsoft  have  added  in  patches 
that  doesn’t  fix  anything  but  actually  adds  what  we 
shall  call  functionality?  Should  we  be  worried? 

Worry  No.  4:  Today  I  installed  an  e-mail  indexing 


and  search  tool  called  XL  When  I  started  XI  it  imme¬ 
diately  began  indexing  all  of  the  203,000  messages 
in  my  Outlook  system,  and  when  it  finished  a  couple 
of  hours  later  I  could  find  any  message,  attachment, 
file  or  contact  using  complex  selection  criteria  in 
less  than  1  second.  Awesome. 

But,  as  XI  processed  my  e-mail  it  extracted  attach¬ 
ments  from  messages  that  I  had  never  opened  for 
one  reason  or  another. This  caused  Norton  Anti-Virus 
to  get  hysterical  again. 

Even  though  Norton  has  always  been  running  on 
my  PC  and  scanning  my  e-mail,  it  seems  these 
attachments  slipped  in  under  the  radar.  Of  course 
had  I  ever  launched  the  contents  of  one  of  these 
attachments  and  in  so  doing  invoked  a  virus  or 
worm,  I’m  certain  that  Norton  would  have  caught  it. 
But  this  wasn’t  just  a  couple  of  hidden  infected  pay- 
loads,  it  was  more  than  300  —  roughly  0. 1 5%  of  my 
messages! 

In  a  corporate  network  this  would  have  interesting 
implications.  If  1,000  users  have  archives  of  1,000 
messages  each,  that  could  be  15,000  hidden  infec¬ 
tions.  Given  that  end-user  anti-virus  systems  occa¬ 
sionally  get  turned  off  for  whatever  reason, you  are 
guaranteed  to  see  outbreaks  of  old  viruses  that  will 
happen  randomly  forever.  Are  you  worried  now? 

Tell  me  your  worries  at  backspin@gibbs.com. 
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ByAdamGaffin 


An  enterprise-networking  aggregator 

Feeds  is  our  new  RSS  aggregator  and 
search  engine  (www.nwfusion.com, 

DocFinder:  2046).  Over  the  past  month  or  so,  it  has  grabbed  roughly  150  enter- 
prise-specific  RSS  sources  to  build  a  database  of  enterprise-related  news  items 
and  comments  (it's  already  up  to  more  than  6,000  such  items). This  is  what  sepa¬ 
rates  Feeds  from  other  RSS-based  search  engines  such  as  Feedster —  when  you 
search  Feeds  for  “ATM,”  you  know  you’ll  get  back  items  related  to  asynchronous 
transfer  mode,  not  posts  from  college  students  complaining  about  their  lack  of 
cash. 

Right  now,  Feeds  is  sort  of  between  alpha  and  beta  —  it  works,  but  there  are 
some  rough  edges.  Check  it  out,  kick  the  tires  and  let  me  know  what  would  make 
it  better  (or  what’s  busted). 

Feeds  is  built  on  Drupal  (DocFinder:  2047),  an  open  source  PHP  community 
platform.  What  drew  me  to  Drupal  was  its  RSS  aggregator  and  its  native  support 
for  taxonomies  —  which  is  what  lets  us  create  topic-specific  pages.  One  of  the 
cool  things  about  Drupal  is  that  whenever  you  add  an  item  to  your  taxonomic 
vocabulary,  it  automatically  gets  an  RSS  feed. 

Drupal  also  has  modules  for  everything  from  events  calendars  to  forums  (one 
of  the  cool  things  about  it  is  its  plug-in  architecture  —  you  only  plug  in  what  you 
really  want).  We  keep  getting  requests  for  an  events  calendar,  so  that'll  probably 
be  the  next  thing  I'll  work  on.  Forums,  however,  I’m  thinking  I'll  keep  in  our  current 
Perl  application,  in  large  part  because  one  of  Drupal's  weaknesses,  at  least  for 
me,  is  how  difficult  its  templates  are  to  work  with  if  you  aren't  a  PHP  scripter, 
which  I’m  not  (they  really  make  me  long  for  something  like  MovableType’s  exten¬ 
sive  template  tag  library).  I've  gotten  the  basic  Fusion  look  down,  but  I’m  still 
struggling  a  bit  with  issues  such  as  embedding  metadata  in  individual  pages. 


The  cost  of  blogging 

MovableType  has  come  out  with  the  pricing  for  Version  3.0  of  its  blogging  tool 
(DocFinder:  2048). 

A  commercial  license  costs  $700.That’s  not  outrageous  for  good-quality  soft¬ 
ware,  but  even  for  all  that,  the  Version  3.0  license  limits  you  to  15  Weblogs.  We 
already  have  way  more  blogs  than  that  (we  use  MovableType  to  power  the 
reporter  notes  on  all  our  research-center  pages  and  on  our  intranet).  I  *might*  be 
able  to  scrounge  up  $700  (well,  $600  if  I  order  now),  but  I'm  really  doubting  our 
finance  people  would  appreciate  an  unbudgeted  bill  for  $1,400  (minus  the  $45  dis¬ 
count  we’d  get  for  the  commercial  MovableType  licenses  we've  already  pur¬ 
chased,  that  is). 

So  our  options  are:  look  for  an  alternative  platform  (hmm,  Drupal  has  blogs 
built  in);  move  our  research  pages  to  our  fancy-shmancy  content  management 
system  (DocFinder:  2049)  (but  then  we'd  lose  the  commenting  function,  which  was 
the  main  reason  we  put  them  in  MovableType  to  begin  with);  or  stick  with 
MovableType  2.6X,  which  is  working  just  fine  for  us  now. 

If  you  use  MovableType,  I’d  be  interested  to  hear  what  you're  thinking. 

Web-enabled  garage-door  opener 

That's  what  Mr.  Blog  has: 

“Does  it  need  to  be  connected  to  the  'Net  and  have  a  Web  interface?  No.  But 
why  not  have  a  Web  interface?  Since  it  has  a  'Net  connection  and  fullTCP/IP 
stack,  I  gave  it  APIs  that  allow  it  to  be  controlled  and  queried  remotely  over  the 
’Net.  When  people  wonder  why  we  would  want  to  connect  devices  and  mundane 
things  like  garage  doors  to  the  ’Net,  an  appliance  like  this  shows  the  utility  of 
doing  so.  My  garage  doors  never  stay  open  ail  night  anymore.” 

Read  more  at  DocFinder:  2050. 

Good  news,  ' Net  Buzz  fans:  Paul  returns  next  week.  But  you  can  keep  reading 
Gaff  in  online  at  www.nwfusion.com/compendium/index.html. 


Meet  the  IBM  eServer™  15  system  —  designed  to  simplify  your  infrastructure.  It’s  the  first  IBM  server  with  POWERS™ 
technology.  And  the  latest  member  of  the  IBM  eServer  iSeries™  family.  What’s  more,  it  can  simultaneously  run  four 
operating  systems,  dynamically  allocating  resources  needed  for  each  application  and  operating  system!  On  demand. 
iSeries  technology  can  also  help  reduce  the  number  of  servers  you  manage  by  as  much  as  85%.  We  invite  you  to 
learn  more  about  how  to  make  your  business  more  efficient.  Just  visit  ibm.com/eserver/consolidate 


5  reasons  why  IBM  eServer  15  systems  with  Power  Architecture ™  technology  can  simplify  your  infrastructure. 


Runs  four  operating 

Advanced  virtualization 

Capacity  on  demand. 

POWER5  processor- 

Integrated  for  easy 

systems  simultaneously. 

technologies. 

based  64-bit  technology. 

management. 

@  server 


The  IBM  eServer  i5  system. 
Consolidate.  Integrate.  Celebrate. 


IXA  or  IXS  required  to  run  Windows.  Customers  must  license  O/Ss  separately.  IBM.  the  e-business  logo,  eServer,  the  eServer  logo,  iSeries,  Power  Architecture  and  P0WER5  are  trademarks 
or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Wndows  is  a  trademark  of  Microsoft  Corporation  in  the  United  States, 
other  countries,  or  both.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  others.  ©2004  IBM  Corporation.  All  rights  reserved. 


otely  manage 

your  branch  offices 


'KmiryCHiCK^ 


Only  Avocent  delivers  a  field-proven,  all-in-one  KVM  over  IP  solution 
for  securely  managing  all  of  your  servers.  With  Avocent,  no  server  or 
serial  device  is  too  remote. 


Let  us  help  you  navigate  the  rough  waters  of  managing  data  centers  and  branch  offices. 

Avoid  costly  on-site  service  calls  to  your  branch  offices  with  Avocent  KVM  over  IP  switching. 

Our  new  DSR™1021  switch  combines  patented  KVM  over  IP  technology  with  an  external  modem  and 
power  control  for  a  complete  branch  office  solution.  Now  you  can  manage  your  branch  offices  from 
any  location  you  choose. 

Troubleshoot,  reboot  or  even  power  cycle  servers  or  serial  devices,  wherever  they  are,  from  wherever 
you  are.  DSView"  management  software  delivers  CLICK  AND  CONNECT™  control  so  you  can 
manage  your  remote  offices  with  the  same  interface  you  use  to  manage  your  data  center. 

Don't  be  led  off  course.  Download  your  copy  of  the  Definitive  KVM  over  IP  Buyer's  Guide  at 
www.avocent.com/reality  or  call  1-866-286-2368. 


Avocent. 


Avocent,  the  Avocent  logo,  DSR,  DSView,  CLICK  AND  CONNECT  and  The  Power  of  Being  There  are  trademarks  or  registered  trademarks  of  Avocent  Corporation.  Copyright  ©2004  Avocent  Corporation 


The  Power  of  Being  There* 


